@vortex-os/computer-use 0.7.0 → 0.7.2

package/scripts/mcp-stdio.mjs

@@ -1,1324 +1,1376 @@
-#!/usr/bin/env node
-// @vortex-os/computer-use — read-only screen-perception MCP stdio server (Windows-first).
-// Tools: probe · read_ui · classify_activity · capture_screen · watch_capture · poll_change · start_watch · get_events · stop_watch · beep · speak.
-// Control is out of scope.
-// Two modes (bin `vortex-mcp-computer-use`):
-//   - default: run the stdio server (what an MCP host launches).
-//   - `install`: self-register into the project `.mcp.json` under the non-reserved key
-//     `vortex-computer-use` (merge-safe). e.g. `npx vortex-mcp-computer-use install`.
-// Optional dep: @modelcontextprotocol/sdk — loaded DYNAMICALLY only on the serve path (see the
-// bottom dispatch), so `install` registers and exits without needing the SDK present.
-import { spawnSync, spawn } from 'node:child_process';
-import { fileURLToPath } from 'node:url';
-import { dirname, join } from 'node:path';
-import { readFileSync, unlinkSync, statSync, mkdtempSync, rmSync, existsSync, mkdirSync, writeFileSync, renameSync, appendFileSync } from 'node:fs';
-import { tmpdir, homedir } from 'node:os';
-import { createHmac, randomBytes } from 'node:crypto';
-import { NoiseFilter, resolveFilterConfig } from './noise-filter.mjs';
-import { sanitizeForSpeech, buildUtterance, estimateSpeechMs, SpeechBudget } from './speech-safety.mjs';
-import { parseVlmConfig, vlmGate, buildChatBody, extractText, SYNTH_PNG_B64, DEFAULT_VLM_PROMPT } from './vlm.mjs';
-import { classifyActivity } from './activity.mjs';
-
-const dir = dirname(fileURLToPath(import.meta.url));
-const plat = process.platform;
-
-// ── redaction config (§8·§14) ─────────────────────────────────────────────
-// Normalize the denylist into env (JSON array) so children (worker / per-call spawn) inherit it -> no per-call args. Config source: env > config file.
-// The actual blocking is done by the backend (lib.ps1 Test-AxDenylist) right before CopyFromScreen (Node doesn't know which windows are inside the region/monitor).
-function loadRedactionConfig() {
-  let titles = [], procs = [];
-  try {
-    const cfgPath = join(dir, 'computer-use.config.json');
-    if (existsSync(cfgPath)) {
-      const r = (JSON.parse(readFileSync(cfgPath, 'utf8')) || {}).redaction || {};
-      if (Array.isArray(r.denyWindowTitles)) titles = r.denyWindowTitles;
-      if (Array.isArray(r.denyProcesses)) procs = r.denyProcesses;
-    }
-  } catch {}
-  try { if (process.env.VORTEX_CU_DENY_TITLES) titles = JSON.parse(process.env.VORTEX_CU_DENY_TITLES); } catch {}
-  try { if (process.env.VORTEX_CU_DENY_PROCS) procs = JSON.parse(process.env.VORTEX_CU_DENY_PROCS); } catch {}
-  titles = (Array.isArray(titles) ? titles : []).map(String).filter(Boolean);
-  procs = (Array.isArray(procs) ? procs : []).map(String).filter(Boolean);
-  process.env.VORTEX_CU_DENY_TITLES = JSON.stringify(titles);   // re-export for child inheritance (after normalization)
-  process.env.VORTEX_CU_DENY_PROCS = JSON.stringify(procs);
-  return { titles, procs };
-}
-const REDACTION = loadRedactionConfig();
-
-// ── TTS / audio-ducking config (file < env precedence, like the denylist) ──────────────────
-// Reads the `tts` section of computer-use.config.json and fills process.env ONLY where the matching env var is
-// unset, so a user can tune voice/engine/ducking in the config FILE (no env needed) while env still wins. The
-// values flow unchanged to the spawned speak helpers (speak-supertonic.mjs / speak.ps1), which read these env vars.
-function loadTtsConfig() {
-  let cfg = {};
-  try {
-    const cfgPath = join(dir, 'computer-use.config.json');
-    if (existsSync(cfgPath)) cfg = (JSON.parse(readFileSync(cfgPath, 'utf8')) || {}).tts || {};
-  } catch {}
-  const setIfUnset = (k, v) => { if (v !== undefined && v !== null && (process.env[k] === undefined || process.env[k] === '')) process.env[k] = String(v); };
-  setIfUnset('VORTEX_CU_TTS_ENGINE', cfg.engine);       // 'auto' (default) | 'supertonic' | 'heami'
-  setIfUnset('VORTEX_CU_TTS_VOICE', cfg.voice);         // Supertonic voice: F1..F5 / M1..M5
-  setIfUnset('VORTEX_CU_TTS_MODEL_DIR', cfg.modelDir);  // Supertonic model cache (default ~/.vortex/computer-use/supertonic-3)
-  setIfUnset('VORTEX_CU_TTS_LANG', cfg.lang);           // spoken language (defaults to the OCR language)
-  if (cfg.duck === false) setIfUnset('VORTEX_CU_DUCK', 'off');   // lower other apps while speaking (default on)
-  setIfUnset('VORTEX_CU_DUCK_FACTOR', cfg.duckFactor);  // others -> original*factor during speech (0..1; default 0.3)
-}
-loadTtsConfig();
-
-// ── companion (adaptive screen companion) config — same file<env precedence ──
-// `companion.uiaCanvasMax` tunes the GPU-canvas (game/video) UIA cutoff; `companion.profiles` overrides per-class
-// cadence/proactivity (e.g. { "GAME": { "cadenceSec": 20 } }). Consumed by classify_activity.
-let COMPANION_PROFILES = {};
-function loadCompanionConfig() {
-  let cfg = {};
-  try {
-    const cfgPath = join(dir, 'computer-use.config.json');
-    if (existsSync(cfgPath)) cfg = (JSON.parse(readFileSync(cfgPath, 'utf8')) || {}).companion || {};
-  } catch {}
-  if (cfg.uiaCanvasMax != null && (process.env.VORTEX_CU_UIA_CANVAS_MAX === undefined || process.env.VORTEX_CU_UIA_CANVAS_MAX === '')) {
-    process.env.VORTEX_CU_UIA_CANVAS_MAX = String(cfg.uiaCanvasMax);
-  }
-  COMPANION_PROFILES = (cfg.profiles && typeof cfg.profiles === 'object') ? cfg.profiles : {};
-}
-loadCompanionConfig();
-
-// ── audit log (§8: metadata/HMAC only, original image not stored) ──────────────────────
-// Location = under LocalAppData (outside the instance data/ -> won't leak via corporate sync, codex MEDIUM). The key lives there too.
-const AUDIT_DIR = join(process.env.LOCALAPPDATA || join(homedir(), '.local', 'share'), 'vortex-computer-use', 'audit');
-function loadAuditKey() {
-  try {
-    mkdirSync(AUDIT_DIR, { recursive: true });
-    const kp = join(AUDIT_DIR, '.hmac-key');
-    if (existsSync(kp)) { const k = readFileSync(kp, 'utf8').trim(); if (k) return k; }
-    const k = randomBytes(32).toString('hex');
-    writeFileSync(kp, k, { mode: 0o600 });   // Windows ignores mode, but LocalAppData is per-user
-    return k;
-  } catch (e) {
-    // Auditing is a record, not an access control — a failed key setup must not block perception (capture); local tool availability. But don't swallow it silently — warn (codex r2 MEDIUM).
-    process.stderr.write(`[computer-use MCP] WARNING: audit log disabled — could not set up HMAC key (${(e && e.message) || e}). Perception still works; captures will NOT be audited.\n`);
-    return null;
-  }
-}
-const AUDIT_KEY = loadAuditKey();
-function auditHmac(buf) { return createHmac('sha256', AUDIT_KEY).update(buf).digest('hex'); }
-function auditLog(tool, payload, imageItems) {
-  if (!AUDIT_KEY) return;   // skip silently if key setup failed (the tool keeps working)
-  try {
-    const p = payload || {};
-    // Detect not only top-level redacted/partialRedacted but also the nested captures[].redacted of a multi-frame watch (codex r3 MEDIUM).
-    const isRed = !!(p.redacted || p.partialRedacted || (Array.isArray(p.captures) && p.captures.some((f) => f && f.redacted)));
-    const rec = {
-      ts: new Date().toISOString(), tool,
-      mode: typeof p.target === 'string' ? p.target : undefined,
-      titleHmac: p.window ? auditHmac(String(p.window)).slice(0, 16) : undefined,   // window title not stored in plaintext (HMAC only, A4-1)
-      redacted: isRed, reason: p.reason || undefined,
-      outputBytes: 0, contentHmac: undefined,
-    };
-    const h = createHmac('sha256', AUDIT_KEY);
-    if (imageItems && imageItems.length) {
-      for (const im of imageItems) { const b = Buffer.from(im.data, 'base64'); rec.outputBytes += b.length; h.update(b); }
-    } else { h.update(JSON.stringify(p)); }   // JSON.stringify blocks JSONL injection (newlines / control chars) (codex MEDIUM)
-    rec.contentHmac = h.digest('hex').slice(0, 32);
-    const day = rec.ts.slice(0, 10);
-    appendFileSync(join(AUDIT_DIR, `cu-${day}.jsonl`), JSON.stringify(rec) + '\n');
-  } catch {}
-}
-
-// OS-native backend (same as action-ext.mjs — a single source would be ideal, but it's duplicated since this is a PoC)
-const B = {
-  win32: {
-    probe:   ['pwsh', ['-NoProfile', '-File', join(dir, 'probe.ps1')]],
-    read:    ['pwsh', ['-NoProfile', '-File', join(dir, 'read-ui.ps1')]],
-    classify: ['pwsh', ['-NoProfile', '-File', join(dir, 'classify.ps1')]],
-    capture: ['pwsh', ['-NoProfile', '-File', join(dir, 'point-to-ask.ps1')]],
-  },
-  darwin: {
-    probe:   ['bash', [join(dir, 'mac', 'probe.sh')]],
-    read:    ['osascript', ['-l', 'JavaScript', join(dir, 'mac', 'read-ui.js')]],
-    capture: ['bash', [join(dir, 'mac', 'point-to-ask.sh')]],
-  },
-};
-
-// Returns: { payload, isError } — backend abnormal exit / non-JSON output is surfaced as isError (so an error never flows as if normal in the watch loop).
-function runBackend(kind, extraArgs = [], timeoutMs = 0) {
-  const b = B[plat]?.[kind];
-  if (!b) return { payload: { error: `unsupported platform/op: ${plat}/${kind}`, grade: 'P0 (manual) fallback' }, isError: true };
-  const [exe, base] = b;
-  // Optional hard timeout: a one-shot tool (e.g. classify_activity) must not let a hung COM/UIA call freeze the
-  // synchronous spawn (and thus the event loop). On timeout, spawnSync kills the child and sets r.error.
-  const opts = { encoding: 'utf8', maxBuffer: 8 * 1024 * 1024 };
-  if (timeoutMs > 0) { opts.timeout = timeoutMs; opts.killSignal = 'SIGKILL'; }
-  const r = spawnSync(exe, [...base, ...extraArgs], opts);
-  if (r.error) return { payload: { error: String(r.error) }, isError: true };
-  const failed = r.status !== 0;
-  try {
-    return { payload: JSON.parse(r.stdout), isError: failed };
-  } catch {
-    return { payload: { error: 'backend produced non-JSON output', exitCode: r.status, raw: (r.stdout || '').trim(), stderr: (r.stderr || '').trim() }, isError: true };
-  }
-}
-
-// Async backend runner for long/streaming ops (watch_capture). Never blocks the event loop, and a hard
-// timeout kills the child and returns isError — so one watch call can't hang the whole MCP server (codex #high).
-function runBackendAsync(kind, extraArgs = [], timeoutMs = 120000, cleanupDir = null) {
-  return new Promise((resolve) => {
-    const b = B[plat]?.[kind];
-    if (!b) return resolve({ payload: { error: `unsupported platform/op: ${plat}/${kind}`, grade: 'P0 (manual) fallback' }, isError: true });
-    const [exe, base] = b;
-    const MAX_OUT = 16 * 1024 * 1024;   // cap stdout/stderr accumulation; abort on overflow (codex #med DoS)
-    let out = '', err = '', settled = false, pending = null, killFallback = null;
-    const child = spawn(exe, [...base, ...extraArgs], { stdio: ['ignore', 'pipe', 'pipe'] });
-    const resolveOnce = (payload, isError, cleanupOwned = false) => {
-      if (settled) return; settled = true;
-      clearTimeout(timer); if (killFallback) clearTimeout(killFallback);
-      resolve({ payload, isError, cleanupOwned });
-    };
-    // Abort = decide the outcome + kill the child, but RESOLVE only after the child has CLOSED (file handles released)
-    // so the caller's reqDir cleanup can't race a still-flushing process (codex #high). If close never arrives within the
-    // grace window, resolve anyway but TAKE OWNERSHIP of reqDir cleanup (deferred to the eventual close, with a hard reaper)
-    // and signal cleanupOwned so the caller skips its own rmSync — we never delete a dir a live pwsh might still hold.
-    const abort = (payload) => {
-      if (pending || settled) return;
-      pending = payload;
-      try { child.kill(); } catch {}
-      killFallback = setTimeout(() => {
-        if (cleanupDir) {
-          child.once('close', () => { try { rmSync(cleanupDir, { recursive: true, force: true }); } catch {} });
-          const reaper = setTimeout(() => { try { rmSync(cleanupDir, { recursive: true, force: true }); } catch {} }, 30000);
-          if (reaper.unref) reaper.unref();
-        }
-        resolveOnce(pending, true, cleanupDir != null);
-      }, 3000);
-      if (killFallback.unref) killFallback.unref();
-    };
-    const timer = setTimeout(() => abort({ error: `watch timed out after ${timeoutMs}ms`, partial: (out || '').slice(0, 200) }), timeoutMs);
-    child.stdout.setEncoding('utf8'); child.stdout.on('data', (d) => { if (pending || settled) return; out += d; if (out.length > MAX_OUT) abort({ error: 'backend stdout exceeded cap' }); });
-    child.stderr.setEncoding('utf8'); child.stderr.on('data', (d) => { if (pending || settled || err.length >= MAX_OUT) return; err += d; });
-    child.on('error', (e) => resolveOnce({ error: String((e && e.message) || e) }, true));
-    child.on('close', (code) => {
-      if (pending) return resolveOnce(pending, true);   // aborted AND child closed within grace → caller can clean safely
-      if (settled) return;
-      try { resolveOnce(JSON.parse(out), code !== 0); }
-      catch { resolveOnce({ error: 'backend produced non-JSON output', exitCode: code, raw: (out || '').trim().slice(0, 500), stderr: (err || '').trim().slice(0, 500) }, true); }
-    });
-  });
-}
-
-// ── resident PowerShell worker (Windows MCP only) ─────────────────────────────
-// Removes the per-call pwsh re-spawn (~150-370ms setup) — keeps one worker alive and talks to it over JSON-lines.
-// Safeguards (codex cross-check): lazy start (spawn only on first call) · idle shutdown (N seconds with no command) ·
-//   single-worker command queue serialization · id matching · a generation (= process identity) guard to ignore stale events ·
-//   on crash, reject in-flight (no auto-retry of side-effect ops) · on no-response timeout, kill the worker and re-spawn.
-// Multi-instance: each MCP server has its own worker (dedicated pipe) -> no conflicts. On parent exit the
-//   worker auto-terminates via stdin EOF. watch isn't run on the worker (avoids long occupation) — done per-call.
-const WORKER = ['pwsh', ['-NoProfile', '-File', join(dir, 'worker.ps1')]];
-const WORKER_IDLE_MS = Number(process.env.VORTEX_AX_WORKER_IDLE_MS || 60000);
-const OP_TIMEOUT_MS = Number(process.env.VORTEX_AX_OP_TIMEOUT_MS || 10000);
-
-class WorkerManager {
-  constructor([exe, args]) { this.exe = exe; this.args = args; this.worker = null; this.buf = ''; this.seq = 0; this.inFlight = null; this.queue = []; this.idleTimer = null; }
-
-  call(op, args, timeoutMs = OP_TIMEOUT_MS) {
-    return new Promise((resolve, reject) => { this.queue.push({ op, args, timeoutMs, resolve, reject }); this._pump(); });
-  }
-
-  _spawn() {
-    const child = spawn(this.exe, this.args, { stdio: ['pipe', 'pipe', 'pipe'] });
-    this.worker = child; this.buf = '';
-    child.stdout.setEncoding('utf8');
-    child.stdout.on('data', (chunk) => {
-      if (child !== this.worker) return;                 // generation guard: ignore the old worker
-      this.buf += chunk;
-      let nl;
-      while ((nl = this.buf.indexOf('\n')) >= 0) {
-        const line = this.buf.slice(0, nl).trim();
-        this.buf = this.buf.slice(nl + 1);
-        if (line) this._onLine(line);
-      }
-    });
-    child.stderr.on('data', (d) => process.stderr.write(`[ax-worker] ${d}`));
-    child.stdin.on('error', () => {});                   // EPIPE etc. are cleaned up in exit/error — here we only prevent an unhandled crash
-    child.on('error', (err) => this._onGone(child, `worker spawn/runtime error: ${err && err.message}`));
-    child.on('exit', (code) => this._onGone(child, `worker exited (code ${code}) before responding`));
-  }
-
-  _onGone(child, reason) {
-    if (child !== this.worker) return;                   // generation guard: ignore an old / already-replaced worker
-    this.worker = null;
-    const f = this.inFlight;
-    if (f) { clearTimeout(f.timer); this.inFlight = null; f.reject(new Error(reason)); }
-    if (this.queue.length) this._pump();                 // run the backlog on a new worker (no auto-retry of side-effect ops)
-  }
-
-  _onLine(line) {
-    let msg;
-    try { msg = JSON.parse(line); } catch { process.stderr.write(`[ax-worker] non-JSON line dropped: ${line.slice(0, 120)}\n`); return; }
-    const f = this.inFlight;
-    if (!f || msg.id !== f.id) return;                   // stale/mismatch
-    clearTimeout(f.timer); this.inFlight = null;
-    if (msg.ok) f.resolve(msg.result); else f.reject(new Error(msg.error || 'worker error'));
-    this._pump();
-  }
-
-  _pump() {
-    if (this.inFlight) return;
-    if (this.queue.length === 0) { this._scheduleIdle(); return; }
-    if (this.idleTimer) { clearTimeout(this.idleTimer); this.idleTimer = null; }
-    if (!this.worker) this._spawn();
-    const job = this.queue.shift();
-    const id = ++this.seq;
-    const timer = setTimeout(() => {
-      if (this.inFlight && this.inFlight.id === id) {     // no response -> assume the worker is stuck and kill it
-        const w = this.worker; this.worker = null;
-        const rej = this.inFlight.reject; this.inFlight = null;
-        if (w) { try { w.kill(); } catch {} }
-        rej(new Error(`worker op timeout after ${job.timeoutMs}ms`));
-        this._pump();
-      }
-    }, job.timeoutMs);
-    this.inFlight = { id, resolve: job.resolve, reject: job.reject, timer };
-    try { this.worker.stdin.write(JSON.stringify({ id, op: job.op, args: job.args }) + '\n'); }
-    catch (e) {
-      clearTimeout(timer); this.inFlight = null;
-      const w = this.worker; this.worker = null;
-      if (w) { try { w.kill(); } catch {} }
-      job.reject(e); this._pump();                        // assume the worker is dead, clean up, and proceed to the next request (prevents queue stall)
-    }
-  }
-
-  _scheduleIdle() {
-    if (this.idleTimer || !this.worker) return;
-    this.idleTimer = setTimeout(() => { this.idleTimer = null; if (!this.inFlight && this.queue.length === 0) this.dispose(); }, WORKER_IDLE_MS);
-    if (this.idleTimer.unref) this.idleTimer.unref();
-  }
-
-  dispose() {
-    if (this.idleTimer) { clearTimeout(this.idleTimer); this.idleTimer = null; }
-    const w = this.worker; this.worker = null;
-    if (w) { try { w.stdin.end(); } catch {} try { w.kill(); } catch {} }
-  }
-}
-
-const workerMgr = new WorkerManager(WORKER);
-
-// watchIds this server process has dispatched a poll_change for — to detect a SILENT baseline reset
-// (the resident worker was idle-disposed / killed / crashed and lost its in-memory watch state). codex #high.
-const pollSeen = new Set();
-
-// Server-owned volatility (codex blocker, design §8): when a backend wrote screenshot file(s), read them inline as
-// MCP image content and DELETE them immediately — no on-disk path is returned, so a crashed/idle caller can't leave
-// sensitive screenshots behind. Bounded: at most MAX_INLINE_IMAGES are embedded; extras are still unlinked + counted.
-const MAX_INLINE_IMAGES = 8;
-const MAX_IMAGE_BYTES = 8 * 1024 * 1024;          // per-image cap (codex #med — bound response size, avoid blocking read)
-const MAX_TOTAL_INLINE_BYTES = 24 * 1024 * 1024;  // total inline cap across a response
-function materializeImages(payload) {
-  const images = [];
-  let inlined = 0, dropped = 0, totalBytes = 0;
-  const take = (p) => {
-    if (!p || typeof p !== 'string') return false;
-    let ok = false;
-    try {
-      const sz = statSync(p).size;
-      if (inlined < MAX_INLINE_IMAGES && sz <= MAX_IMAGE_BYTES && totalBytes + sz <= MAX_TOTAL_INLINE_BYTES) {
-        images.push({ type: 'image', data: readFileSync(p).toString('base64'), mimeType: 'image/png' });
-        inlined++; totalBytes += sz; ok = true;
-      } else { dropped++; }
-    } catch { /* file already gone — fine */ }
-    try { unlinkSync(p); } catch {}
-    return ok;
-  };
-  if (payload && typeof payload === 'object') {
-    if (payload.path) { const g = take(payload.path); delete payload.path; payload.image = g ? 'inline' : 'unavailable'; }
-    if (Array.isArray(payload.captures)) {
-      for (const f of payload.captures) { if (f && f.path) { const g = take(f.path); delete f.path; f.image = g ? 'inline' : 'unavailable'; } }
-    }
-    if (dropped > 0) payload.imagesDropped = dropped;
-  }
-  return images;
-}
-
-async function viaWorker(op, args, timeoutMs) {
-  try { return { payload: await workerMgr.call(op, args, timeoutMs), isError: false }; }
-  catch (e) { return { payload: { error: String((e && e.message) || e) }, isError: true }; }
-}
-
-// ── watch sessions: background noise-filtered watch + in-memory event buffer (design §22.1·§22.2) ──
-// start_watch spins a non-blocking poll loop OWNED BY THIS SERVER — not a separate process, and not the
-// single worker's request slot (the worker stays a dumb single-shot capture engine; long watches must
-// not occupy it, codex #1). Each tick polls the target's frame-to-frame change via the worker, feeds it
-// to a NoiseFilter (debounce + cooldown + maxWait), and on an emit captures the settled frame and
-// appends an event to a bounded in-memory ring buffer. get_events drains the buffer (non-blocking,
-// batched -> few LLM looks); stop_watch ends it. The buffer is memory-only with count/byte/TTL caps and
-// the frames live in RAM only (design §24.1 — no screen history on disk; the brief capture temp file is
-// materialized inline + unlinked at once). Denylist + volatility apply per frame via the reused worker ops.
-// Concurrency is deliberately conservative: every watch tick enqueues a poll_change on the SAME single
-// PowerShell worker the foreground tools use, so too many fast watches would starve the agent's own
-// capture_screen/read_ui calls (codex MED). 4 watches at a 400ms floor caps worst-case worker pressure at
-// ~10 polls/s; a global foreground-priority queue is the documented next step if this proves tight.
-const MAX_WATCHES = 4;                          // concurrent background watches cap
-const WATCH_MIN_INTERVAL = 400, WATCH_MAX_INTERVAL = 5000;
-const WATCH_DEFAULT_INTERVAL = 600;
-const WATCH_MAX_DURATION_MS = 30 * 60 * 1000;   // auto-stop a forgotten watch (privacy §8 + runaway guard)
-const EVENT_RING_MAX = 64;                       // max buffered events per watch (oldest dropped when full)
-const EVENT_TTL_MS = 5 * 60 * 1000;              // buffered events older than this are evicted unread (§24.1 TTL)
-const EVENT_IMG_MAX_BYTES = 4 * 1024 * 1024;     // per-event inline image cap
-const WATCH_BUF_MAX_BYTES = 24 * 1024 * 1024;    // total inline image bytes held across one watch buffer
-const GET_EVENTS_MAX = 12;                       // events returned per get_events call
-const GET_EVENTS_MAX_IMAGES = 8;                 // image items returned per get_events call (MCP response bound)
-const round2 = (n) => (Number.isFinite(Number(n)) ? Math.round(Number(n) * 100) / 100 : n);
-
-function buildWatchTargetArgs(a) {
-  const t = {};
-  if (a.region) t.region = `${a.region.x},${a.region.y},${a.region.w},${a.region.h}`;
-  if (a.window) t.windowMatch = String(a.window);
-  if (a.monitor != null) t.monitor = String(a.monitor);
-  if (a.boxW) t.boxW = a.boxW;
-  if (a.boxH) t.boxH = a.boxH;
-  if (a.detail) t.detail = String(a.detail);
-  return t;
-}
-function watchTargetLabel(a) {
-  if (a.region) return `region ${a.region.x},${a.region.y} ${a.region.w}x${a.region.h}`;
-  if (a.window) return `window "${a.window}"`;
-  if (a.monitor != null) return `monitor ${a.monitor}`;
-  return 'cursor';
-}
-
-// ── reflex path: fixed-phrase / OCR readout spoken LOCALLY, no cloud round-trip (design §22.3) ──
-// A registered trigger crossing fires beep / say(fixed phrase) / ocr(read the region's text) directly from
-// the watch loop. Speech goes through the GLOBAL speech safety (codex r1): screen-derived text (ocr) is
-// never voiced raw — it gets a "화면 글자:" provenance prefix + control/secret shaping + a per-minute
-// utterance & seconds budget with no-overlap and auto-mute. OCR uses the in-box Windows PowerShell 5.1
-// (pwsh 7 can't load WinRT OCR); TTS uses pwsh 7 System.Speech. Both are spawned (non-blocking) and
-// degrade silently if absent. The OCR crop comes from the SAME denylist-gated worker capture (never an
-// arbitrary file), so a denylisted window blocks reflex OCR too (codex r1 MED).
-const PS51 = join(process.env.WINDIR || 'C:\\Windows', 'System32', 'WindowsPowerShell', 'v1.0', 'powershell.exe');
-const OCR_SCRIPT = join(dir, 'ocr.ps1');
-const SPEAK_SCRIPT = join(dir, 'speak.ps1');
-const OCR_LANG = process.env.VORTEX_CU_OCR_LANG || 'ko';
-const SPEAK_TOWAV_DIR = process.env.VORTEX_CU_SPEAK_TOWAV_DIR || '';   // test hook: render speech to WAV instead of audio
-const speechBudget = new SpeechBudget();                              // GLOBAL across all watches (one set of ears)
-let speakingChild = null;
-let speakSeq = 0;
-
-const MAX_SPEAK_MS = 30000;   // hard upper bound for one utterance so a hung TTS can't hold the no-overlap lock forever (codex r2 MED)
-
-// Provenance for screen-derived speech (ocr/vision): by DEFAULT a self-documenting verbal prefix ("화면 글자:" …)
-// so even a first-time listener knows the source — this is the prior HIGH control (voicing raw screen text is a
-// social-engineering channel) and a chime alone can't convey it, so spoken stays the default (codex r1 HIGH).
-// VORTEX_CU_SPEECH_PROVENANCE=earcon is an explicit opt-in to a non-verbal chime instead. Either way the source
-// is marked. Agent/user-authored speech ('agent' via the `speak` tool, and a fixed 'say' phrase) is trusted
-// content and carries NO provenance mark.
-const SPEECH_PROVENANCE_EARCON = process.env.VORTEX_CU_SPEECH_PROVENANCE === 'earcon';
-const EARCON_EST_MS = 250;   // chime duration to reserve against the speech budget when earcon mode is on (codex r1 LOW)
-
-// ── TTS engine: Supertonic (separate-install ONNX neural, higher quality) with Heami fallback ──
-// The audio-RENDER step only. The safety/budget/provenance layer above (buildUtterance + speechBudget) is
-// engine-agnostic; only the final spawn differs. Engine is resolved ONCE at startup (not per-utterance): 'auto'
-// picks Supertonic when its models + onnxruntime-node are present, else the always-available Heami (speak.ps1).
-// VORTEX_CU_TTS_ENGINE=auto|supertonic|heami. Models live in VORTEX_CU_TTS_MODEL_DIR (fetch-supertonic.mjs writes
-// the default ~/.vortex/computer-use/supertonic-3). Voice VORTEX_CU_TTS_VOICE (F1..F5/M1..M5), lang follows OCR_LANG.
-const SPEAK_SUPERTONIC = join(dir, 'speak-supertonic.mjs');
-const TTS_ENGINE_CFG = (process.env.VORTEX_CU_TTS_ENGINE || 'auto').toLowerCase();
-const TTS_MODEL_DIR = process.env.VORTEX_CU_TTS_MODEL_DIR || join(homedir(), '.vortex', 'computer-use', 'supertonic-3');
-const TTS_VOICE = process.env.VORTEX_CU_TTS_VOICE || 'F1';
-const TTS_LANG = process.env.VORTEX_CU_TTS_LANG || OCR_LANG;
-function supertonicAvailable() {
-  try {
-    const onnx = join(TTS_MODEL_DIR, 'onnx');
-    const need = ['duration_predictor.onnx', 'text_encoder.onnx', 'vector_estimator.onnx', 'vocoder.onnx', 'tts.json', 'unicode_indexer.json'];
-    if (!need.every((f) => existsSync(join(onnx, f)))) return false;
-    if (!existsSync(join(TTS_MODEL_DIR, 'voice_styles', `${TTS_VOICE}.json`))) return false;
-    import.meta.resolve('onnxruntime-node');   // throws if the optional dep isn't installed -> fall back to Heami
-    return true;
-  } catch { return false; }
-}
-// 'heami' forces SAPI; 'supertonic'/'auto' use Supertonic when actually available, else fall back (never go mute).
-const TTS_ENGINE = TTS_ENGINE_CFG === 'heami' ? 'heami'
-  : ((TTS_ENGINE_CFG === 'supertonic' || TTS_ENGINE_CFG === 'auto') && supertonicAvailable() ? 'supertonic' : 'heami');
-
-// Speak a finalized utterance without blocking the watch loop.
-//   kind: 'agent' (the `speak` tool — agent's judged words, no mark, redacted) | 'say' (fixed phrase, no mark)
-//       | 'ocr' | 'vision' (screen-derived, untrusted — marked + shaped).
-function reflexSpeak(kind, text) {
-  const screenDerived = kind === 'ocr' || kind === 'vision';
-  const earcon = screenDerived && SPEECH_PROVENANCE_EARCON;
-  // Earcon mode carries provenance via the chime, so DON'T bake the spoken prefix — but keep the SAME shaping
-  // (control-char strip, secret redaction, length cap) buildUtterance applies to screen text.
-  const utt = earcon ? sanitizeForSpeech(text) : buildUtterance(kind, text);
-  if (!utt) return { ok: false, reason: 'empty' };
-  const res = speechBudget.tryReserve(estimateSpeechMs(utt) + (earcon ? EARCON_EST_MS : 0), Date.now());
-  if (!res.ok) return res;
-  try {
-    let child;
-    if (TTS_ENGINE === 'supertonic') {
-      // Render via the separate-install ONNX neural engine (higher quality). Same spawn lifecycle as Heami below:
-      // non-blocking, killed by the MAX_SPEAK_MS watchdog, budget released exactly once on exit.
-      const sargs = [SPEAK_SUPERTONIC, '--text', utt, '--voice', TTS_VOICE, '--lang', TTS_LANG, '--model-dir', TTS_MODEL_DIR];
-      if (earcon) sargs.push('--earcon');
-      if (SPEAK_TOWAV_DIR) sargs.push('--to-wav', join(SPEAK_TOWAV_DIR, `utt-${++speakSeq}.wav`));
-      child = spawn(process.execPath, sargs, { stdio: 'ignore' });
-    } else {
-      const args = ['-NoProfile', '-File', SPEAK_SCRIPT, '-Text', utt];
-      if (earcon) args.push('-Earcon', 'screen');
-      if (SPEAK_TOWAV_DIR) args.push('-ToWav', join(SPEAK_TOWAV_DIR, `utt-${++speakSeq}.wav`));
-      child = spawn('pwsh', args, { stdio: 'ignore' });
-    }
-    speakingChild = child;
-    // Release the budget EXACTLY ONCE per child, and only if this child still owns the active reservation —
-    // a late/duplicate exit+error event must not free a newer utterance's slot (codex r2 LOW/MED). A hard
-    // timeout kills a hung speaker so it can't deadlock no-overlap (codex r2 MED).
-    let released = false;
-    const done = () => { if (released) return; released = true; clearTimeout(killer); if (speakingChild === child) { speakingChild = null; speechBudget.release(); } };
-    const killer = setTimeout(() => { try { child.kill(); } catch {} done(); }, MAX_SPEAK_MS);
-    if (killer.unref) killer.unref();
-    child.on('exit', done); child.on('error', done);
-    return { ok: true, uttered: utt };
-  } catch { speechBudget.release(); return { ok: false, reason: 'spawn-failed' }; }
-}
-
-// OCR a worker-captured temp PNG via the 5.1 helper, hard time-bounded; returns recognized text or null.
-// Resolves only AFTER the child has CLOSED (even on timeout: kill, then wait for close) so the PNG file
-// handle is released before the caller unlinks the crop — otherwise a still-open handle leaves a screen
-// crop on disk (codex r2 MED).
-function runOcr(pngPath) {
-  return new Promise((resolve) => {
-    let out = '', settled = false, killed = false, child;
-    const done = (v) => { if (settled) return; settled = true; clearTimeout(timer); resolve(v); };
-    try {
-      child = spawn(PS51, ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Bypass', '-File', OCR_SCRIPT, '-ImagePath', pngPath, '-Lang', OCR_LANG], { stdio: ['ignore', 'pipe', 'ignore'] });
-    } catch { return resolve(null); }
-    const timer = setTimeout(() => { killed = true; try { child.kill(); } catch {} }, 6000);
-    child.stdout.setEncoding('utf8');
-    child.stdout.on('data', (d) => { out += d; if (out.length > 65536) { killed = true; try { child.kill(); } catch {} } });
-    child.on('error', () => done(null));
-    child.on('close', () => { if (killed) return done(null); try { const j = JSON.parse(out.trim()); done(j && j.ok ? j.text : null); } catch { done(null); } });
-  });
-}
-
-// ── local VLM "middle path" (design §22.3 / §23.2 / §24): OPTIONAL, GPU-gated, off unless a trusted fast
-// local endpoint is reachable. The reflex/brain paths work with no GPU; this only adds a smarter local
-// description when the hardware allows. Capability is PROBED per session (never stored), with a SYNTHETIC
-// image first (never a real crop before the endpoint is trusted), and gated on a measured latency SLA.
-const VLM = parseVlmConfig();
-const VLM_PROBE_TTL = 5 * 60 * 1000;
-let vlmProbe = null, vlmProbeAt = 0, vlmProbing = null;
-
-const VLM_MAX_CROP_BYTES = 6 * 1024 * 1024;   // bound the data: URL we send (crop is already size-bounded; defence-in-depth)
-const VLM_MAX_RESP_BYTES = 256 * 1024;        // a short description reply is tiny — cap a hostile/huge response (codex MED)
-
-// Read a response body up to maxBytes, then stop (so a huge/streaming reply can't exhaust memory).
-async function readCappedText(r, maxBytes) {
-  const reader = r.body && r.body.getReader ? r.body.getReader() : null;
-  if (!reader) { const t = await r.text(); return t.length <= maxBytes ? t : null; }
-  let total = 0; const parts = [];
-  for (;;) {
-    const { done, value } = await reader.read();
-    if (done) break;
-    if (value) { total += value.length; if (total > maxBytes) { try { await reader.cancel(); } catch {} return null; } parts.push(Buffer.from(value)); }
-  }
-  return Buffer.concat(parts).toString('utf8');
-}
-
-async function httpChat(body, timeoutMs) {
-  const ctrl = new AbortController();
-  const timer = setTimeout(() => ctrl.abort(), timeoutMs);
-  try {
-    const headers = { 'content-type': 'application/json' };
-    if (VLM.key) headers.authorization = `Bearer ${VLM.key}`;
-    // redirect:'manual' so a 3xx can't replay this POST (with a real crop) to a DIFFERENT host, bypassing
-    // the remote-off trust gate (codex MED). A local VLM server never needs redirects → treat any non-2xx as fail.
-    const r = await fetch(`${VLM.endpoint}/chat/completions`, { method: 'POST', headers, body: JSON.stringify(body), signal: ctrl.signal, redirect: 'manual' });
-    if (!r.ok || r.type === 'opaqueredirect') return { ok: false, status: r.status, redirected: r.type === 'opaqueredirect' };
-    const clen = Number(r.headers.get('content-length') || 0);
-    if (clen && clen > VLM_MAX_RESP_BYTES) return { ok: false, error: 'response too large' };
-    const txt = await readCappedText(r, VLM_MAX_RESP_BYTES);
-    if (txt === null) return { ok: false, error: 'response exceeded cap' };
-    try { return { ok: true, json: JSON.parse(txt) }; } catch { return { ok: false, error: 'non-JSON response' }; }
-  } catch (e) { return { ok: false, error: String((e && e.name === 'AbortError') ? 'timeout' : (e && e.message) || e) }; }
-  finally { clearTimeout(timer); }
-}
-
-// Probe the VLM with a SYNTHETIC image only (no real screen) — measure reachability + latency, confirm a
-// usable reply. Cached per process for VLM_PROBE_TTL. Note: synthetic latency is a LOWER bound (a real crop
-// is larger/slower), so it gates OUT a too-slow endpoint but doesn't guarantee a real call is within budget.
-async function probeVlm() {
-  const gate = vlmGate(VLM);
-  if (!gate.ok) return { available: false, reason: gate.reason, tier: gate.tier };
-  const now = Date.now();
-  if (vlmProbe && now - vlmProbeAt < VLM_PROBE_TTL) return vlmProbe;
-  if (vlmProbing) return vlmProbing;
-  vlmProbing = (async () => {
-    const t0 = Date.now();
-    const res = await httpChat(buildChatBody(VLM.model, '이미지가 보이면 ok 라고만 답해.', SYNTH_PNG_B64, 8), VLM.slaMs);
-    const latencyMs = Date.now() - t0;
-    let out;
-    if (!res.ok) out = { available: false, reason: `endpoint not reachable (${res.error || 'http ' + res.status})`, tier: gate.tier };
-    else if (latencyMs > VLM.slaMs) out = { available: false, reason: `too slow (${latencyMs}ms > ${VLM.slaMs}ms SLA)`, tier: gate.tier, latencyMs };
-    else out = { available: true, tier: gate.tier, model: VLM.model, latencyMs };
-    vlmProbe = out; vlmProbeAt = Date.now(); vlmProbing = null;
-    return out;
-  })();
-  return vlmProbing;
-}
-
-// Describe a worker-captured crop with the local VLM. Returns a short text or null. Output is UNTRUSTED
-// (the caller speaks it via buildUtterance('vision', …) so it gets the "로컬 비전:" prefix + shaping + budget).
-async function runVlm(pngPath) {
-  let b64;
-  try {
-    if (statSync(pngPath).size > VLM_MAX_CROP_BYTES) return null;   // bound the data: URL (codex MED)
-    b64 = readFileSync(pngPath).toString('base64');
-  } catch { return null; }
-  const res = await httpChat(buildChatBody(VLM.model, DEFAULT_VLM_PROMPT, b64, VLM.maxTokens), Math.min(20000, VLM.slaMs * 3));
-  if (!res.ok) return null;
-  return extractText(res.json) || null;
-}
-
-// Validate caller triggers into safe internal trigger objects. Triggers evaluate against the watch's main
-// target region. Capped, clamped, action-gated. `say` content is sanitized (not screen-derived → not redacted).
-function parseTriggers(raw) {
-  if (!Array.isArray(raw)) return [];
-  const out = [];
-  for (const t of raw.slice(0, 8)) {
-    if (!t || typeof t !== 'object') continue;
-    const action = ['say', 'ocr', 'vision'].includes(t.action) ? t.action : 'beep';
-    const th = Number(t.threshold);
-    const threshold = Math.min(100, Math.max(0.5, Number.isFinite(th) && th > 0 ? th : 12));
-    const cd = Number(t.cooldownMs);
-    const cooldownMs = Math.min(600000, Math.max(1500, Number.isFinite(cd) && cd > 0 ? Math.floor(cd) : 8000));
-    const trg = { action, threshold, cooldownMs, armed: true, pending: false, pendingTs: 0, lastFireTs: 0, fires: 0 };
-    if (action === 'say') trg.say = sanitizeForSpeech(String(t.say || ''), { redactTokens: false }) || '알림';
-    if (action === 'beep') trg.beep = ['info', 'warn', 'urgent'].includes(t.beep) ? t.beep : 'warn';
-    if (action === 'ocr' || action === 'vision') { const dw = Number(t.dwellMs); trg.dwellMs = Math.min(3000, Math.max(0, Number.isFinite(dw) && dw >= 0 ? dw : 700)); }
-    out.push(trg);
-  }
-  return out;
-}
-
-class WatchSession {
-  constructor(watchId, a) {
-    this.watchId = watchId;
-    this.bgId = `__watch_${watchId}`;             // worker poll-continuity slot, isolated from agent poll_change ids
-    this.targetArgs = buildWatchTargetArgs(a);
-    this.targetLabel = watchTargetLabel(a);
-    const iv = Number(a.pollIntervalMs);
-    this.pollIntervalMs = Math.min(WATCH_MAX_INTERVAL, Math.max(WATCH_MIN_INTERVAL, Number.isFinite(iv) && iv > 0 ? Math.floor(iv) : WATCH_DEFAULT_INTERVAL));
-    this.filter = new NoiseFilter(a);
-    this.cfg = this.filter.cfg;
-    this.outDir = mkdtempSync(join(tmpdir(), 'vortex-cu-watch-'));
-    this.ring = [];                               // [{seq, ts, reason, peakPct, ..., _img?}]
-    this.seq = 0; this.dropped = 0; this.bufBytes = 0;
-    this.polls = 0; this.emitted = 0; this.redactedFrames = 0;
-    this.lastChangePct = null; this.lastPollTs = null;
-    this.lastError = null; this.consecErrors = 0;
-    this.triggers = parseTriggers(a.triggers);    // reflex triggers on the main target region (§22.3)
-    this.reflexFires = 0; this.lastReflex = null;
-    this.startedAt = Date.now();
-    this.stopped = false; this.stopReason = null;
-    this._timer = null;
-  }
-
-  start() { this._schedule(0); return this.status(); }   // first tick goes through the same guarded path (no unhandled rejection, codex LOW)
-
-  _schedule(delayMs = this.pollIntervalMs) {
-    if (this.stopped) return;
-    this._timer = setTimeout(() => { this._tick().catch(() => { if (!this.stopped) this._schedule(); }); }, delayMs);
-    if (this._timer.unref) this._timer.unref();
-  }
-
-  async _tick() {
-    if (this.stopped) return;
-    this._evict();   // enforce the TTL on EVERY tick, not just on emit/get_events — a buffered frame must not outlive EVENT_TTL_MS even if the client never polls (codex HIGH, privacy §24.1)
-    if (Date.now() - this.startedAt > WATCH_MAX_DURATION_MS) { this._stop('max watch duration reached (auto-stopped)'); return; }
-    this.polls++;
-    const reset = this.polls === 1;
-    const wa = { ...this.targetArgs, watchId: this.bgId };
-    if (reset) wa.reset = true;
-    const res = await viaWorker('poll_change', wa, OP_TIMEOUT_MS);
-    if (this.stopped) return;   // stop_watch/dispose may have fired during the await — don't resume into a torn-down session (codex HIGH race)
-    const p = res.payload || {};
-    if (res.isError) {
-      this.consecErrors++; this.lastError = String(p.error || 'poll failed');
-      if (this.consecErrors >= 5) { this._stop(`stopped after repeated poll errors: ${this.lastError}`); return; }
-    } else {
-      this.consecErrors = 0;
-      this.lastChangePct = p.changePct != null ? round2(p.changePct) : null;
-      this.lastPollTs = Date.now();
-      if (p.redacted) {
-        // A denylisted window overlaps the target -> no capture this frame. Treat as a blind gap (don't feed
-        // the filter a fake diff); surface the count in status so the agent knows the watch is partially blind.
-        this.redactedFrames++;
-      } else {
-        const baseline = p.baseline === true;     // includes a silent worker stateReset (fresh baseline)
-        const c = p.changePct != null ? p.changePct : 0;
-        const emit = this.filter.push({ changePct: c, now: this.lastPollTs, baseline });
-        if (emit) { try { await this._onEmit(emit, p); } catch (e) { this.lastError = `emit/capture failed: ${String((e && e.message) || e)}`; } }
-        // Reflex triggers run on the RAW per-tick change (not the settled-event path) — fast local beep/say/ocr.
-        if (!baseline && this.triggers.length) { try { await this._evalReflexes(c, this.lastPollTs); } catch (e) { this.lastError = `reflex failed: ${String((e && e.message) || e)}`; } }
-      }
-    }
-    if (!this.stopped) this._schedule();
-  }
-
-  async _onEmit(emit, pollPayload) {
-    const cap = await viaWorker('capture', { ...this.targetArgs, outDir: this.outDir }, OP_TIMEOUT_MS);
-    if (this.stopped) {
-      materializeImages(cap.payload);   // stopped during the capture await — unlink the just-captured temp frame and drop it (don't push into a disposed session, codex HIGH race)
-      try { rmSync(this.outDir, { recursive: true, force: true }); } catch {}   // the worker may have recreated outDir to write that frame — clear the now-empty dir (codex r2 residual)
-      return;
-    }
-    const cp = cap.payload || {};
-    const ev = { seq: ++this.seq, ts: Date.now(), reason: emit.reason, peakPct: round2(emit.peakPct), activeMs: emit.activeMs, target: this.targetLabel };
-    if (cap.isError) {
-      ev.captureError = String(cp.error || 'capture failed');
-    } else if (cp.redacted) {
-      ev.redacted = true; ev.note = 'settled change detected but the frame was withheld (denylisted window in region)';
-    } else {
-      const items = materializeImages(cp);        // reads the temp PNG inline as base64 and unlinks it (§8 volatility)
-      const img = items[0];
-      if (img) {
-        const bytes = Buffer.from(img.data, 'base64').length;
-        if (bytes <= EVENT_IMG_MAX_BYTES) { ev._img = img; ev.bytes = bytes; this.bufBytes += bytes; }
-        else ev.imageDropped = `image too large (${bytes} bytes)`;
-      }
-      if (cp.outputSize) ev.outputSize = cp.outputSize;
-      if (cp.approxTokens != null) ev.approxTokens = cp.approxTokens;
-      if (cp.captureRect) ev.captureRect = cp.captureRect;
-    }
-    this.emitted++;
-    this.ring.push(ev);
-    this._evict();
-  }
-
-  // Reflex evaluation: per trigger, fire when the raw change crosses its threshold — with hysteresis
-  // (re-arm only after it goes quiet), per-trigger cooldown, and (for ocr) a one-tick dwell so we read a
-  // settled frame rather than a half-drawn one (codex r1 MED). The reflex bypasses the noise-filter debounce
-  // for speed but keeps these throttles + the global speech budget (codex r1 — no denial-of-attention).
-  async _evalReflexes(changePct, now) {
-    for (const trg of this.triggers) {
-      // A pending ocr dwell fires after dwellMs regardless of the current change (the point is a stable frame).
-      if (trg.pending) {
-        if (now - trg.pendingTs >= trg.dwellMs) { trg.pending = false; trg.armed = false; trg.lastFireTs = now; trg.fires++; await this._fireTrigger(trg); }
-        continue;
-      }
-      if (changePct < trg.threshold * 0.5) trg.armed = true;            // hysteresis: re-arm once it settles below half
-      if (changePct < trg.threshold || !trg.armed) continue;
-      if (now - trg.lastFireTs < trg.cooldownMs) continue;             // per-trigger cooldown
-      if (trg.action === 'ocr') { trg.pending = true; trg.pendingTs = now; continue; }   // dwell one tick, then read
-      trg.armed = false; trg.lastFireTs = now; trg.fires++;
-      await this._fireTrigger(trg);
-    }
-  }
-
-  async _fireTrigger(trg) {
-    if (this.stopped) return;
-    if (trg.action === 'beep') { this._reflexNote(trg, 'beep'); await viaWorker('beep', { pattern: trg.beep }); return; }
-    if (trg.action === 'say') { const r = reflexSpeak('say', trg.say); this._reflexNote(trg, r.ok ? 'say' : `say-skip:${r.reason}`); return; }
-    // 'vision' uses the local VLM if it's available this session; otherwise it degrades to OCR (A always works).
-    let kind = trg.action;   // 'ocr' | 'vision'
-    if (kind === 'vision') { const pv = await probeVlm(); if (this.stopped) return; if (!pv.available) kind = 'ocr'; }   // graceful degrade -> read text
-    // Outcome label: surface the degrade ("vision→ocr") in EVERY branch (redacted/nocapture/empty/said), not just success.
-    const tag = (k) => (trg.action === 'vision' && k === 'ocr') ? 'vision→ocr' : k;
-    // Capture the region through the SAME denylist-gated worker path (never an arbitrary file), then read it.
-    const cap = await viaWorker('capture', { ...this.targetArgs, outDir: this.outDir }, OP_TIMEOUT_MS);
-    if (this.stopped) { materializeImages(cap.payload); return; }
-    const cp = cap.payload || {};
-    if (cp.redacted) { this._reflexNote(trg, `${tag(kind)}-redacted`); return; }   // denylisted window in region -> stay blind
-    if (cap.isError || !cp.path) { this._reflexNote(trg, `${tag(kind)}-nocapture`); return; }
-    let text = null, usedKind = kind;
-    try {
-      if (kind === 'vision') {
-        text = await runVlm(cp.path);
-        // The probe said available but the LIVE call can still fail (model unloaded, timeout) — degrade to OCR (codex low).
-        if (text == null && !this.stopped) { usedKind = 'ocr'; text = await runOcr(cp.path); }
-      } else {
-        text = await runOcr(cp.path);
-      }
-    } finally { try { unlinkSync(cp.path); } catch {} }   // volatile: delete the crop after reading (§8)
-    if (this.stopped) return;
-    if (!text) { this._reflexNote(trg, `${tag(usedKind)}-empty`); return; }
-    const r = reflexSpeak(usedKind === 'vision' ? 'vision' : 'ocr', text);   // screen-derived (untrusted) -> provenance chime (or verbal prefix in spoken mode)
-    this._reflexNote(trg, r.ok ? `${tag(usedKind)}-said` : `${tag(usedKind)}-skip:${r.reason}`);
-  }
-
-  _reflexNote(trg, outcome) { this.reflexFires++; this.lastReflex = { ts: Date.now(), action: trg.action, outcome }; }
-
-  _evict() {
-    const cut = Date.now() - EVENT_TTL_MS;
-    while (this.ring.length && this.ring[0].ts < cut) this._drop(this.ring.shift());
-    while (this.ring.length > EVENT_RING_MAX) this._drop(this.ring.shift());
-    while (this.bufBytes > WATCH_BUF_MAX_BYTES && this.ring.length > 0) this._drop(this.ring.shift());
-  }
-  _drop(ev) { if (ev && ev.bytes) this.bufBytes -= ev.bytes; this.dropped++; }
-
-  drain(max = GET_EVENTS_MAX, maxImages = GET_EVENTS_MAX_IMAGES) {
-    this._evict();
-    // Drain only as far as we can return EVERYTHING we remove: stop BEFORE an image-bearing event that would
-    // exceed the per-call image cap, leaving it (and the rest) buffered for the next call (codex MED — never
-    // remove an event whose frame we then have to discard). Metadata-only events keep draining up to `max`.
-    const images = []; const records = [];
-    const cap = Math.max(1, max);
-    while (this.ring.length && records.length < cap) {
-      const ev = this.ring[0];
-      if (ev._img && images.length >= maxImages) break;   // would overflow images — leave it buffered, truthfully report remaining
-      this.ring.shift();
-      if (ev.bytes) this.bufBytes -= ev.bytes;
-      const rec = { ...ev }; delete rec._img;
-      if (ev._img) { images.push(ev._img); rec.image = 'inline'; }
-      records.push(rec);
-    }
-    return { records, images, remaining: this.ring.length };
-  }
-
-  status() {
-    this._evict();
-    return {
-      watchId: this.watchId, target: this.targetLabel, running: !this.stopped, stopReason: this.stopReason || undefined,
-      pollIntervalMs: this.pollIntervalMs, polls: this.polls, lastChangePct: this.lastChangePct,
-      ageMs: Date.now() - this.startedAt, buffered: this.ring.length, dropped: this.dropped, emitted: this.emitted,
-      redactedFrames: this.redactedFrames || undefined, filterPhase: this.filter.status.phase,
-      thresholds: { activityThreshold: this.cfg.activityThreshold, quietThreshold: this.cfg.quietThreshold, debounceQuietMs: this.cfg.debounceQuietMs, cooldownMs: this.cfg.cooldownMs, maxWaitMs: this.cfg.maxWaitMs },
-      triggers: this.triggers.length || undefined, reflexFires: this.reflexFires || undefined, lastReflex: this.lastReflex || undefined,
-      lastError: this.lastError || undefined,
-    };
-  }
-
-  // Stop the loop. On an INVOLUNTARY stop (auto-stop at max duration / repeated errors), the client may never
-  // call stop_watch, so we must not keep screen frames in RAM indefinitely: drop the captured frames now and
-  // remove the (otherwise empty) temp dir, but keep the lightweight metadata records so a later get_events can
-  // still report what happened (codex HIGH — privacy/TTL must hold without client cooperation, §24.1).
-  _stop(reason) {
-    if (this.stopped) return;
-    this.stopped = true; this.stopReason = reason;
-    if (this._timer) { clearTimeout(this._timer); this._timer = null; }
-    this._clearFrames();
-    try { rmSync(this.outDir, { recursive: true, force: true }); } catch {}
-  }
-
-  _clearFrames() {   // strip pixel data, keep metadata records
-    for (const ev of this.ring) { if (ev._img) { delete ev._img; ev.image = 'cleared (watch stopped)'; } }
-    this.bufBytes = 0;
-  }
-
-  dispose() {
-    this._stop(this.stopReason || 'disposed');
-    this.ring = []; this.bufBytes = 0;            // drop everything, including metadata
-  }
-}
-
-const watches = new Map();
-
-function startWatch(a) {
-  if (plat !== 'win32') return { payload: { error: 'start_watch is currently Windows-only', platform: plat }, isError: true };
-  // Require EXACTLY one fixed target — not "at least one" — so the worker's implicit precedence can't make a
-  // caller watch a different target than they passed (codex LOW). Cursor mode is disallowed (the cursor moves).
-  const targetCount = (a.region ? 1 : 0) + (a.window ? 1 : 0) + (a.monitor != null ? 1 : 0);
-  if (targetCount === 0) {
-    return { payload: { error: 'start_watch needs a fixed target — pass region, window, or monitor. Cursor mode is not allowed (the cursor moves, so every frame would differ).' }, isError: true };
-  }
-  if (targetCount > 1) {
-    return { payload: { error: 'start_watch takes exactly one target — pass only one of region, window, or monitor.' }, isError: true };
-  }
-  const watchId = a.watchId ? String(a.watchId) : 'default';
-  let replaced = false;
-  const existing = watches.get(watchId);
-  if (existing) { existing.dispose(); watches.delete(watchId); replaced = true; }
-  // Prune stopped/empty sessions before enforcing the cap, then reject if still over.
-  if (watches.size >= MAX_WATCHES) {
-    for (const [id, s] of watches) { if (s.stopped && s.ring.length === 0) { s.dispose(); watches.delete(id); } }
-  }
-  if (watches.size >= MAX_WATCHES) {
-    return { payload: { error: `too many concurrent watches (max ${MAX_WATCHES}) — stop one first with stop_watch.` }, isError: true };
-  }
-  const session = new WatchSession(watchId, a);
-  watches.set(watchId, session);
-  const status = session.start();
-  return { payload: { ok: true, action: replaced ? 'restarted' : 'started', ...status, hint: 'Watch runs in the background. Call get_events periodically to collect what changed; stop_watch when done.' }, isError: false };
-}
-
-function stopWatch(a) {
-  const watchId = a.watchId ? String(a.watchId) : null;
-  if (!watchId) {
-    const ids = [...watches.keys()];
-    let total = 0;
-    for (const [, s] of watches) { total += s.emitted; s.dispose(); }
-    watches.clear();
-    return { payload: { ok: true, action: 'stopped-all', stopped: ids, totalEmitted: total }, isError: false };
-  }
-  const s = watches.get(watchId);
-  if (!s) return { payload: { error: `no watch with id "${watchId}"`, active: [...watches.keys()] }, isError: true };
-  const summary = { ok: true, action: 'stopped', watchId, polls: s.polls, emitted: s.emitted, dropped: s.dropped, discardedUnread: s.ring.length, ageMs: Date.now() - s.startedAt };
-  s.dispose(); watches.delete(watchId);
-  return { payload: summary, isError: false };
-}
-
-// get_events returns the buffered events as text records plus their settled frames as MCP image items.
-function getEvents(a) {
-  const watchId = a.watchId ? String(a.watchId) : 'default';
-  const s = watches.get(watchId);
-  if (!s) return { result: { payload: { error: `no watch with id "${watchId}"`, active: [...watches.keys()] }, isError: true }, images: [] };
-  const max = Number.isFinite(Number(a.max)) ? Math.min(GET_EVENTS_MAX, Math.max(1, Math.floor(Number(a.max)))) : GET_EVENTS_MAX;
-  const { records, images, remaining } = s.drain(max);
-  const payload = { watchId, events: records, returned: records.length, remaining, status: s.status() };
-  return { result: { payload, isError: false }, images };
-}
-
-const TOOLS = [
-  {
-    name: 'probe',
-    description: 'Check whether screen perception works in this environment + measure display/capture latency (P0.5).',
-    inputSchema: { type: 'object', properties: {}, additionalProperties: false },
-  },
-  {
-    name: 'read_ui',
-    description: 'Structured perception of the active/targeted window — UIA(Win)/AX(mac) tree: elements, roles, coordinates, text. Zero images, ~0 tokens (P1 primary).',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        window: { type: 'string', description: 'Target by a substring of the window title. If omitted, foreground.' },
-        target: { type: 'string', enum: ['foreground', 'cursor'], description: 'Target to use when no window is given.' },
-      },
-      additionalProperties: false,
-    },
-  },
-  {
-    name: 'classify_activity',
-    description: 'Adaptive companion: classify what the user is doing on the foreground window — returns { class: GAME|DEV|MEDIA|BROWSING|PRODUCTIVITY|UNKNOWN, process, title, notificationState, interruptible, canvas, uiaCount, fullscreen, profile, needsChangeRate }. Read-only, zero images. Use it to pick a help profile/cadence; for GAME, sample poll_change to split fast-action (break-gated) vs strategy (periodic). See docs/adaptive-companion.md.',
-    inputSchema: { type: 'object', properties: {}, additionalProperties: false },
-  },
-  {
-    name: 'capture_screen',
-    description: 'Pixel capture — fallback for canvas/games that structured perception cannot read. Target (priority): region > window > monitor > (default) around the cursor. Returns a PNG path (volatility is the caller\'s job, §8).',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        boxW: { type: 'number', description: 'Cursor-mode box width (default 600).' },
-        boxH: { type: 'number', description: 'Cursor-mode box height (default 400).' },
-        region: {
-          type: 'object',
-          description: 'Capture a fixed region (ignores cursor). Virtual-screen physical coordinates.',
-          properties: { x: { type: 'number' }, y: { type: 'number' }, w: { type: 'number' }, h: { type: 'number' } },
-          required: ['x', 'y', 'w', 'h'],
-          additionalProperties: false,
-        },
-        window: { type: 'string', description: 'Window title substring -> capture that window\'s region (ignores cursor). Tracks the window even as it moves.' },
-        monitor: { type: 'string', description: "Target a monitor (ignores cursor): 1-based index ('3') or 'primary'. For continuously watching a game-only monitor." },
-        detail: { type: 'string', description: "Resolution preset: 'gist' (flow only, small) / 'normal' (default) / 'text' (text/code, large). For reading text, prefer region/window + 'text' over a whole monitor." },
-        scale: { type: 'number', description: 'Upscale factor (small regions). When set, overrides detail.' },
-        maxSide: { type: 'number', description: 'Upper bound on the output longest side in px. When set, overrides detail.' },
-      },
-      additionalProperties: false,
-    },
-  },
-  {
-    name: 'watch_capture',
-    description: 'Capture a fixed target N times at a set interval (within one pwsh process — avoids per-frame re-spawn cost). With changeOnly, save only frames that changed from the previous one. Synchronous/blocking (waits for the response over frames×interval) — Windows-only PoC. Target priority: region > window > monitor > cursor.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        frames: { type: 'number', description: 'Number of frames to capture (>1).' },
-        intervalMs: { type: 'number', description: 'Interval between frames (ms, default 1000).' },
-        changeOnly: { type: 'boolean', description: 'Save only frames that changed from the previous one (default false).' },
-        changeThreshold: { type: 'number', description: 'Change-detection threshold % (default 2.0).' },
-        region: {
-          type: 'object',
-          description: 'Fixed region (ignores cursor). Virtual-screen physical coordinates.',
-          properties: { x: { type: 'number' }, y: { type: 'number' }, w: { type: 'number' }, h: { type: 'number' } },
-          required: ['x', 'y', 'w', 'h'],
-          additionalProperties: false,
-        },
-        window: { type: 'string', description: 'Window title substring (ignores cursor, tracks movement).' },
-        monitor: { type: 'string', description: "Target a monitor (ignores cursor): index or 'primary'." },
-        boxW: { type: 'number', description: 'Cursor-mode box width.' },
-        boxH: { type: 'number', description: 'Cursor-mode box height.' },
-        detail: { type: 'string', description: "Resolution preset: 'gist'/'normal'/'text'. An explicit scale/maxSide takes precedence." },
-        scale: { type: 'number', description: 'Upscale factor. When set, overrides detail.' },
-        maxSide: { type: 'number', description: 'Upper bound on the output longest side in px. When set, overrides detail.' },
-      },
-      additionalProperties: false,
-    },
-  },
-  {
-    name: 'poll_change',
-    description: 'Look at the screen once (async watch primitive) — capture the target once, compare with the previous shot, and immediately return only the change rate. The resident worker remembers the previous state per watchId (continuity). **By default, metadata only (changed, changePct; no image saved = token savings)** — pass includeImage:true to also get the image (path) only when you actually need to see the screen. "Watching alongside" is built by the agent repeatedly calling this tool (polling) every 1-2 seconds — non-blocking, the user can step in at any time. Use reset:true on start / target change. Windows-only.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        region: {
-          type: 'object',
-          description: 'Fixed region (ignores cursor). Virtual-screen physical coordinates.',
-          properties: { x: { type: 'number' }, y: { type: 'number' }, w: { type: 'number' }, h: { type: 'number' } },
-          required: ['x', 'y', 'w', 'h'],
-          additionalProperties: false,
-        },
-        window: { type: 'string', description: 'Window title substring (ignores cursor, tracks movement).' },
-        monitor: { type: 'string', description: "Target a monitor (ignores cursor): index or 'primary'." },
-        boxW: { type: 'number', description: 'Cursor-mode box width.' },
-        boxH: { type: 'number', description: 'Cursor-mode box height.' },
-        scale: { type: 'number', description: 'Upscale factor when includeImage. When set, overrides detail.' },
-        maxSide: { type: 'number', description: 'Upper bound on the output longest side in px when includeImage. When set, overrides detail.' },
-        changeThreshold: { type: 'number', description: 'Change-detection threshold % (default 2).' },
-        watchId: { type: 'string', description: 'Watch-session id (default "default"). The previous state is remembered under this id.' },
-        reset: { type: 'boolean', description: 'If true, discard the previous state and start a new baseline (on watch start / target change).' },
-        detail: { type: 'string', description: "Resolution preset: 'gist'/'normal'/'text' (the saved image size when includeImage)." },
-        includeImage: { type: 'boolean', description: 'Default false = metadata only (changePct etc., token savings). If true, also save and return the changed/baseline frame as a PNG (path).' },
-      },
-      additionalProperties: false,
-    },
-  },
-  {
-    name: 'beep',
-    description: 'Sound alert — call this to emit a beep when you have a message to show the user during watching (so they notice while looking at a game / another screen). Recommended to call right before printing the message. Windows-only. (A precursor to future voice TTS.)',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        pattern: { type: 'string', description: "Beep pattern: 'info' (once) / 'warn' (twice) / 'urgent' (three times). Default info." },
-        count: { type: 'number', description: 'Repeat count (overrides pattern when set). 1-10.' },
-        frequency: { type: 'number', description: 'Pitch in Hz (37-32767).' },
-        durationMs: { type: 'number', description: 'Duration of one beep in ms.' },
-      },
-      additionalProperties: false,
-    },
-  },
-  {
-    name: 'speak',
-    description:
-      "Speak ONE short line aloud in the user's language through the local TTS — the AGENT tier of the watch design. This is how you act as a companion while they look at a game / another screen: you SEE the screen (capture_screen / get_events), UNDERSTAND it, and say something useful — strategic advice, a warning about a threat/opportunity they might miss, brief commentary, or an answer to their question. These are YOUR OWN judged words (trusted), so they are spoken WITHOUT a provenance mark. Therefore do NOT pipe RAW screen text through here — summarize/judge it into your own sentence first; for unjudged raw screen text use an `ocr` trigger instead (it is marked as screen-derived). Keep it to one concise sentence. Globally rate-limited and never overlaps reflex speech (one set of ears). Windows-only.",
-    inputSchema: {
-      type: 'object',
-      properties: {
-        text: { type: 'string', description: 'The sentence to speak — your own words (a summary/advice/answer), not a raw screen dump. Kept short; long text is capped.' },
-      },
-      required: ['text'],
-      additionalProperties: false,
-    },
-  },
-  {
-    name: 'start_watch',
-    description:
-      'Start watching a fixed target in the BACKGROUND and return immediately (non-blocking). A built-in noise filter (debounce + cooldown) suppresses the per-frame ripple of video/games/scrolling and keeps only meaningful, SETTLED changes — so it works on screens that change every frame, where raw change-detection would flood you. Events accumulate in an in-memory buffer; collect them with get_events, end with stop_watch. Needs a fixed target (region/window/monitor — NOT the cursor). Tune with thresholds if needed. Windows-only. Auto-stops after 30 min.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        region: {
-          type: 'object',
-          description: 'Fixed region to watch (virtual-screen physical coordinates). Recommended for a game minimap/alert area.',
-          properties: { x: { type: 'number' }, y: { type: 'number' }, w: { type: 'number' }, h: { type: 'number' } },
-          required: ['x', 'y', 'w', 'h'],
-          additionalProperties: false,
-        },
-        window: { type: 'string', description: 'Window title substring to watch (tracks the window as it moves).' },
-        monitor: { type: 'string', description: "Monitor to watch: 1-based index ('2') or 'primary' (e.g. a game-only screen)." },
-        watchId: { type: 'string', description: 'Watch-session id (default "default"). Use distinct ids to run several watches at once; starting an existing id restarts it.' },
-        pollIntervalMs: { type: 'number', description: 'How often to sample the target (ms, default 600; clamped 400-5000). Lower = snappier + more CPU.' },
-        detail: { type: 'string', description: "Resolution preset for the captured settled frame: 'gist'/'normal'/'text'." },
-        activityThreshold: { type: 'number', description: 'Frame-to-frame % change that WAKES the filter (default 8). Set above your screen\'s ambient jitter (a playing video measures ~2.5-4%) and below a real transition (a scene cut ~16.8%).' },
-        quietThreshold: { type: 'number', description: 'Frame-to-frame % below which a frame counts as "still" (default 5). Hysteresis: forced below activityThreshold.' },
-        debounceQuietMs: { type: 'number', description: 'How long motion must stay quiet before the settled frame is emitted (ms, default 900 = quality gate).' },
-        cooldownMs: { type: 'number', description: 'Minimum gap between events (ms, default 6000 = frequency cap; suppresses ripples of one activity).' },
-        maxWaitMs: { type: 'number', description: 'If motion never settles, emit anyway this often (ms, default 8000 = anti-starvation for continuous motion).' },
-        triggers: {
-          type: 'array',
-          description: 'Reflex triggers (design §22.3): fire a local alert the INSTANT the watched region changes past a threshold — no cloud LLM round-trip, so it reaches the user in well under a second. Actions: `beep` (sound), `say` (speak a FIXED pre-written phrase — safest), `ocr` (read the region\'s text aloud via offline OCR), or `vision` (describe the scene via a LOCAL vision model if one is configured + fast enough, else auto-degrades to ocr). Spoken screen content is marked as screen-derived (by default a verbal "화면 글자:" / "로컬 비전:" prefix; a non-verbal chime when VORTEX_CU_SPEECH_PROVENANCE=earcon) and shaped; speech is globally rate-limited. Use a `beep`/`say` reflex for "ping me the moment X happens"; for the deeper, JUDGED commentary (advice, warnings, answers) look at the get_events frame and voice your own sentence with the `speak` tool — raw `ocr` readout is just a fallback.',
-          maxItems: 8,
-          items: {
-            type: 'object',
-            properties: {
-              action: { type: 'string', enum: ['beep', 'say', 'ocr', 'vision'], description: "What to do on a crossing." },
-              threshold: { type: 'number', description: 'Frame-to-frame % change that fires this trigger (default 12).' },
-              say: { type: 'string', description: "For action 'say': the fixed phrase to speak (e.g. '적 출현')." },
-              beep: { type: 'string', description: "For action 'beep': 'info'/'warn'/'urgent' (default warn)." },
-              cooldownMs: { type: 'number', description: 'Minimum gap between firings of this trigger (ms, default 8000).' },
-              dwellMs: { type: 'number', description: "For action 'ocr': wait this long after the change before reading, so the frame is settled (ms, default 700)." },
-            },
-            required: ['action'],
-            additionalProperties: false,
-          },
-        },
-      },
-      additionalProperties: false,
-    },
-  },
-  {
-    name: 'get_events',
-    description:
-      'Collect the changes a background watch (start_watch) has buffered since the last call — non-blocking, batched (so a long watch costs only a few looks). Returns one record per settled change (time, reason, change magnitude, capture metadata) plus the settled frames as inline images, and a status block (polls, buffered, dropped, filter phase). Drains what it returns; call again for any remainder.',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        watchId: { type: 'string', description: 'Which watch to collect from (default "default").' },
-        max: { type: 'number', description: 'Max events to return this call (default/cap 12). Remaining stay buffered.' },
-      },
-      additionalProperties: false,
-    },
-  },
-  {
-    name: 'stop_watch',
-    description: 'Stop a background watch and discard its buffer + in-memory frames. Omit watchId to stop ALL watches. Returns a summary (polls, events emitted, unread discarded).',
-    inputSchema: {
-      type: 'object',
-      properties: {
-        watchId: { type: 'string', description: 'Which watch to stop. Omit to stop every active watch.' },
-      },
-      additionalProperties: false,
-    },
-  },
-];
-
-// The CallTool handler — standalone (no SDK types), wired to the server only on the serve path.
-async function handleCallTool(req) {
-  const { name, arguments: a = {} } = req.params;
-  const useWorker = plat === 'win32';   // the resident worker is Windows PowerShell backend only
-  let result;
-  let reqDir = null;   // per-request temp dir for screenshots — deleted in finally on EVERY exit path (codex blocker: timeout/error left files behind)
-  // Clamp output-size knobs at the MCP boundary so a huge upscale can't blow up the response / PS render (codex #med).
-  if (a.scale != null) { const s = Number(a.scale); a.scale = Number.isFinite(s) ? Math.min(8, Math.max(0.1, s)) : undefined; }
-  if (a.maxSide != null) { const m = Number(a.maxSide); a.maxSide = Number.isFinite(m) ? Math.min(4096, Math.max(16, Math.floor(m))) : undefined; }
-  try {
-  if (name === 'probe') {
-    result = useWorker ? await viaWorker('probe', {}) : runBackend('probe');
-    // If a local VLM is configured, also report its availability (synthetic-image probe — no real screen sent).
-    // This is the only place probe touches the network, and only when the user opted in by setting an endpoint.
-    if (VLM.enabled && result && result.payload && typeof result.payload === 'object') {
-      try { result.payload.vlm = await probeVlm(); } catch (e) { result.payload.vlm = { available: false, reason: String((e && e.message) || e) }; }
-    }
-  } else if (name === 'read_ui') {
-    if (useWorker) {
-      const wa = {};
-      if (a.window) wa.windowMatch = String(a.window);
-      if (a.target) wa.target = String(a.target);
-      result = await viaWorker('read_ui', wa);
-    } else {
-      const args = [];
-      if (a.window) args.push('-WindowMatch', String(a.window));
-      if (a.target) args.push('-Target', String(a.target));
-      result = runBackend('read', args);
-    }
-  } else if (name === 'classify_activity') {
-    if (plat !== 'win32') {
-      result = { payload: { error: 'classify_activity is currently Windows-only', platform: plat }, isError: true };
-    } else {
-      const raw = runBackend('classify', [], 8000);   // fast one-shot; 8s hard timeout so a hung UIA call can't freeze the loop
-      if (raw.isError) {
-        result = raw;
-      } else {
-        try {
-          const opts = { profiles: COMPANION_PROFILES };
-          if (process.env.VORTEX_CU_UIA_CANVAS_MAX) opts.uiaCanvasMax = Number(process.env.VORTEX_CU_UIA_CANVAS_MAX);
-          const d = classifyActivity(raw.payload, opts);
-          const p = raw.payload || {};
-          result = { payload: { ...d, redacted: !!p.redacted, reason: p.reason, procId: p.procId, hwnd: p.hwnd, uiaCapped: p.uiaCapped, uiaOk: p.uiaOk, notificationStateCode: p.notificationState } };
-        } catch (e) {
-          result = { payload: { error: 'classify failed', detail: String((e && e.message) || e), raw: raw.payload }, isError: true };
-        }
-      }
-    }
-  } else if (name === 'capture_screen') {
-    reqDir = mkdtempSync(join(tmpdir(), 'vortex-cu-'));
-    if (useWorker) {
-      const wa = { outDir: reqDir };
-      if (a.region) wa.region = `${a.region.x},${a.region.y},${a.region.w},${a.region.h}`;
-      if (a.window) wa.windowMatch = String(a.window);
-      if (a.monitor != null) wa.monitor = String(a.monitor);
-      if (a.boxW) wa.boxW = a.boxW;
-      if (a.boxH) wa.boxH = a.boxH;
-      if (a.detail) wa.detail = String(a.detail);
-      if (a.scale != null) wa.scale = a.scale;
-      if (a.maxSide != null) wa.maxSide = a.maxSide;
-      result = await viaWorker('capture', wa);
-    } else {
-      const args = ['-OutDir', reqDir];
-      if (a.boxW) args.push('-BoxW', String(a.boxW));
-      if (a.boxH) args.push('-BoxH', String(a.boxH));
-      result = runBackend('capture', args);
-    }
-  } else if (name === 'watch_capture') {
-    // watch isn't run on the resident worker (avoids blocking other calls with a long occupation, codex #1) -> always per-call spawn.
-    if (plat !== 'win32') {
-      result = { payload: { error: 'watch_capture is currently Windows-only', platform: plat }, isError: true };
-    } else {
-      // Hard caps so one watch call can't run unbounded; async runner so it never blocks the server (codex #high).
-      reqDir = mkdtempSync(join(tmpdir(), 'vortex-cu-'));
-      const MAX_FRAMES = 60, MIN_INTERVAL = 100, MAX_INTERVAL = 10000, MAX_WATCH_MS = 180000;
-      const reqFrames = Number(a.frames), reqInterval = Number(a.intervalMs);
-      const frames = Math.min(MAX_FRAMES, Math.max(1, Number.isFinite(reqFrames) && reqFrames > 0 ? Math.floor(reqFrames) : 2));
-      const intervalMs = Math.min(MAX_INTERVAL, Math.max(MIN_INTERVAL, Number.isFinite(reqInterval) && reqInterval > 0 ? Math.floor(reqInterval) : 1000));
-      const args = ['-WatchFrames', String(frames), '-IntervalMs', String(intervalMs), '-OutDir', reqDir];
-      if (a.changeOnly) args.push('-ChangeOnly');
-      if (a.changeThreshold != null) args.push('-ChangeThreshold', String(a.changeThreshold));
-      if (a.region) args.push('-Region', `${a.region.x},${a.region.y},${a.region.w},${a.region.h}`);
-      if (a.window) args.push('-WindowMatch', String(a.window));
-      if (a.monitor != null) args.push('-Monitor', String(a.monitor));
-      if (a.boxW) args.push('-BoxW', String(a.boxW));
-      if (a.boxH) args.push('-BoxH', String(a.boxH));
-      if (a.detail) args.push('-Detail', String(a.detail));
-      if (a.scale != null) args.push('-Scale', String(a.scale));
-      if (a.maxSide != null) args.push('-MaxSide', String(a.maxSide));
-      const timeoutMs = Math.min(MAX_WATCH_MS, frames * intervalMs + 15000);
-      result = await runBackendAsync('capture', args, timeoutMs, reqDir);
-      if (result.cleanupOwned) reqDir = null;   // runBackendAsync deferred cleanup (timeout/cap fallback) — don't race it in finally
-    }
-  } else if (name === 'poll_change') {
-    // async watch primitive — a fast single shot, so it goes through the worker (which also holds the previous state). win32 only.
-    if (plat !== 'win32') {
-      result = { payload: { error: 'poll_change is currently Windows-only', platform: plat }, isError: true };
-    } else {
-      const wa = {};
-      if (a.includeImage) { reqDir = mkdtempSync(join(tmpdir(), 'vortex-cu-')); wa.outDir = reqDir; wa.includeImage = true; }
-      if (a.region) wa.region = `${a.region.x},${a.region.y},${a.region.w},${a.region.h}`;
-      if (a.window) wa.windowMatch = String(a.window);
-      if (a.monitor != null) wa.monitor = String(a.monitor);
-      if (a.boxW) wa.boxW = a.boxW;
-      if (a.boxH) wa.boxH = a.boxH;
-      if (a.scale != null) wa.scale = a.scale;
-      if (a.maxSide != null) wa.maxSide = a.maxSide;
-      if (a.detail) wa.detail = String(a.detail);
-      if (a.changeThreshold != null) wa.changeThreshold = a.changeThreshold;
-      const wid = a.watchId ? String(a.watchId) : 'default';
-      if (a.watchId) wa.watchId = wid;
-      if (a.reset) wa.reset = true;
-      const seenBefore = pollSeen.has(wid);
-      result = await viaWorker('poll_change', wa);
-      // Record the watchId only after a SUCCESSFUL poll (payload carries a boolean baseline) — a failed first call must
-      // not make the next valid baseline look like a reset; bound the set so attacker-chosen watchIds can't grow it forever. codex #low.
-      if (result && result.payload && typeof result.payload.baseline === 'boolean') {
-        if (pollSeen.size > 1000) pollSeen.clear();
-        pollSeen.add(wid);
-      }
-      // A non-reset follow-up that comes back baseline=true means the worker lost its state (restart/idle-dispose/crash).
-      // Surface it as a reset so the agent treats it as a fresh baseline — NOT as "no change" (a real change in the gap would otherwise be silently missed). codex #high.
-      if (!a.reset && seenBefore && result && result.payload && result.payload.baseline === true) {
-        result.payload.stateReset = true;
-        result.payload.warning = 'watch state was lost (worker restarted/idle-disposed) — this is a fresh baseline, not a "no change" result; a change during the gap may have been missed.';
-      }
-    }
-  } else if (name === 'beep') {
-    if (plat !== 'win32') {
-      result = { payload: { error: 'beep is currently Windows-only', platform: plat }, isError: true };
-    } else {
-      const wa = {};
-      if (a.pattern) wa.pattern = String(a.pattern);
-      if (a.count != null) wa.count = a.count;
-      if (a.frequency != null) wa.frequency = a.frequency;
-      if (a.durationMs != null) wa.durationMs = a.durationMs;
-      result = await viaWorker('beep', wa);
-    }
-  } else if (name === 'speak') {
-    // Agent-authored speech: trusted content -> no provenance mark (treated like a 'say' fixed phrase), but
-    // still shaped + globally budgeted + no-overlap with reflex speech (one set of ears). Non-blocking.
-    if (plat !== 'win32') {
-      result = { payload: { error: 'speak is currently Windows-only', platform: plat }, isError: true };
-    } else if (typeof a.text !== 'string' || !a.text.trim()) {
-      result = { payload: { ok: false, error: 'empty text' }, isError: true };
-    } else {
-      const r = reflexSpeak('agent', a.text);   // agent's judged words: no provenance mark, but redacted + shaped + budgeted
-      result = { payload: r.ok ? { ok: true, uttered: r.uttered } : { ok: false, skipped: r.reason } };
-    }
-  } else if (name === 'start_watch') {
-    result = startWatch(a);
-  } else if (name === 'stop_watch') {
-    result = stopWatch(a);
-  } else if (name === 'get_events') {
-    // get_events carries its OWN already-materialized image items (from the watch buffer) — return them directly
-    // and skip the generic materializeImages pass (there are no on-disk paths in the payload to re-read).
-    if (plat !== 'win32') {
-      result = { payload: { error: 'get_events is currently Windows-only', platform: plat }, isError: true };
-    } else {
-      const { result: r, images } = getEvents(a);
-      auditLog('get_events', r.payload, images);
-      return { content: [{ type: 'text', text: JSON.stringify(r.payload, null, 2) }, ...images], isError: r.isError };
-    }
-  } else {
-    return { content: [{ type: 'text', text: `unknown tool: ${name}` }], isError: true };
-  }
-  const imageItems = materializeImages(result.payload);
-  auditLog(name, result.payload, imageItems);   // metadata/HMAC only — original image and text are not stored (§8)
-  return { content: [{ type: 'text', text: JSON.stringify(result.payload, null, 2) }, ...imageItems], isError: result.isError };
-  } finally {
-    if (reqDir) { try { rmSync(reqDir, { recursive: true, force: true }); } catch {} }
-  }
-}
-
-// Clean up the worker + any background watches on server shutdown (stops the loops, frees in-RAM frames,
-// removes the watch temp dirs). The worker also auto-terminates via stdin EOF when the parent dies.
-process.on('exit', () => { try { if (speakingChild) speakingChild.kill(); } catch {} for (const s of watches.values()) { try { s.dispose(); } catch {} } workerMgr.dispose(); });
-process.on('SIGINT', () => process.exit(0));
-process.on('SIGTERM', () => process.exit(0));
-
-// ── install mode: self-register into the project .mcp.json (stage 1) ─────────
-// `vortex-mcp-computer-use install [--path <file>]` — merge-safe registration. ALWAYS uses the
-// non-reserved key "vortex-computer-use" (the host reserves "computer-use" and silently won't load
-// it), preserves every other server + top-level field, and refuses to overwrite a malformed file.
-const SERVER_KEY = 'vortex-computer-use';
-const SERVER_ENTRY = { command: 'node', args: ['node_modules/@vortex-os/computer-use/scripts/mcp-stdio.mjs'] };
-
-const isObjLit = (v) => v !== null && typeof v === 'object' && !Array.isArray(v);
-const refuse = (msg) => { process.stderr.write(`[install] ${msg}\n`); process.exit(1); };
-
-function runInstall(argv) {
-  const i = argv.indexOf('--path');
-  let target;
-  if (i >= 0) {
-    const v = argv[i + 1];
-    if (!v || v.startsWith('--')) refuse('--path requires a file path argument.');
-    target = v;
-  } else {
-    target = join(process.cwd(), '.mcp.json');
-  }
-  let existing = {};
-  if (existsSync(target)) {
-    let txt;
-    try { txt = readFileSync(target, 'utf8').trim(); }
-    catch (e) { refuse(`${target} could not be read — left untouched: ${e.message}`); }
-    if (txt) {
-      let parsed;
-      try { parsed = JSON.parse(txt); }
-      catch (e) { refuse(`${target} is not valid JSON — refusing to overwrite (fix it first): ${e.message}`); }
-      if (!isObjLit(parsed)) refuse(`${target} is not a JSON object — refusing to overwrite.`);
-      if (parsed.mcpServers !== undefined && !isObjLit(parsed.mcpServers)) refuse(`${target} has a non-object "mcpServers" — refusing to overwrite.`);
-      existing = parsed;
-    }
-  }
-  const servers = isObjLit(existing.mcpServers) ? existing.mcpServers : {};
-  // ADD-ONLY: never clobber an existing "vortex-computer-use" entry (the user may have customized it).
-  if (Object.prototype.hasOwnProperty.call(servers, SERVER_KEY)) {
-    process.stdout.write(JSON.stringify({ ok: true, action: 'already-present', path: target, serverKey: SERVER_KEY }, null, 2) + '\n');
-    process.stderr.write(`[install] "${SERVER_KEY}" already registered in ${target} — left unchanged.\n`);
-    return;
-  }
-  const preserved = Object.keys(servers);
-  const merged = { ...existing, mcpServers: { ...servers, [SERVER_KEY]: SERVER_ENTRY } };
-  // Atomic write via a PRIVATE temp dir (random name, not a guessable sibling): write inside with
-  // exclusive-create, rename onto the target, then remove the dir. Avoids following a pre-placed
-  // temp symlink and leaves no stray temp on failure (codex r2 MEDIUM).
-  try { mkdirSync(dirname(target), { recursive: true }); } catch {}
-  const tmpDir = mkdtempSync(join(dirname(target), '.mcp-cu-'));
-  const tmp = join(tmpDir, 'mcp.json');
-  try {
-    writeFileSync(tmp, JSON.stringify(merged, null, 2) + '\n', { encoding: 'utf8', flag: 'wx' });
-    renameSync(tmp, target);
-  } finally {
-    try { rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-  }
-  process.stdout.write(JSON.stringify({ ok: true, action: 'added', path: target, serverKey: SERVER_KEY, preservedServers: preserved }, null, 2) + '\n');
-  process.stderr.write(
-    `[install] added "${SERVER_KEY}" in ${target}` +
-      (preserved.length ? ` (kept: ${preserved.join(', ')})` : '') + '\n' +
-      `[install] Restart the agent — or approve the new MCP server when prompted — to load the computer-use tools.\n`,
-  );
-}
-
-if (process.argv.slice(2).includes('install')) {
-  runInstall(process.argv.slice(2));
-} else {
-  // Serve path: load the MCP SDK dynamically (so `install` never requires it), wire the handlers, connect.
-  const { Server } = await import('@modelcontextprotocol/sdk/server/index.js');
-  const { StdioServerTransport } = await import('@modelcontextprotocol/sdk/server/stdio.js');
-  const { ListToolsRequestSchema, CallToolRequestSchema } = await import('@modelcontextprotocol/sdk/types.js');
-  const server = new Server({ name: 'computer-use', version: '0.5.0' }, { capabilities: { tools: {} } });
-  server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
-  server.setRequestHandler(CallToolRequestSchema, handleCallTool);
-  await server.connect(new StdioServerTransport());
-  process.stderr.write(`[computer-use MCP] ready on stdio (worker=${plat === 'win32' ? 'on' : 'off'}; tools: probe, read_ui, classify_activity, capture_screen, watch_capture, poll_change, start_watch, get_events, stop_watch, beep, speak)\n`);
-}
+#!/usr/bin/env node
+// @vortex-os/computer-use — read-only screen-perception MCP stdio server (Windows-first).
+// Tools: probe · read_ui · classify_activity · capture_screen · watch_capture · poll_change · start_watch · get_events · stop_watch · beep · speak.
+// Control is out of scope.
+// Two modes (bin `vortex-mcp-computer-use`):
+//   - default: run the stdio server (what an MCP host launches).
+//   - `install`: self-register into the project `.mcp.json` under the non-reserved key
+//     `vortex-computer-use` (merge-safe). e.g. `npx vortex-mcp-computer-use install`.
+// Optional dep: @modelcontextprotocol/sdk — loaded DYNAMICALLY only on the serve path (see the
+// bottom dispatch), so `install` registers and exits without needing the SDK present.
+import { spawnSync, spawn } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import { dirname, join } from 'node:path';
+import { readFileSync, unlinkSync, statSync, mkdtempSync, rmSync, existsSync, mkdirSync, writeFileSync, renameSync, appendFileSync } from 'node:fs';
+import { tmpdir, homedir } from 'node:os';
+import { createHmac, randomBytes } from 'node:crypto';
+import { NoiseFilter, resolveFilterConfig } from './noise-filter.mjs';
+import { sanitizeForSpeech, buildUtterance, estimateSpeechMs, SpeechBudget } from './speech-safety.mjs';
+import { parseVlmConfig, vlmGate, buildChatBody, extractText, SYNTH_PNG_B64, DEFAULT_VLM_PROMPT } from './vlm.mjs';
+import { classifyActivity } from './activity.mjs';
+
+const dir = dirname(fileURLToPath(import.meta.url));
+const plat = process.platform;
+
+// Package version (read from the shipped package.json — `dir` is scripts/, so the manifest is one up),
+// reported as the MCP server version so the host sees the real version (was hardcoded + stale before).
+const PKG_VERSION = (() => {
+  try { return JSON.parse(readFileSync(join(dir, '..', 'package.json'), 'utf8')).version || '0.0.0'; }
+  catch { return '0.0.0'; }
+})();
+
+// Resolve the user config file `computer-use.config.json`. HISTORY: it was read only from `dir` (this
+// scripts/ folder INSIDE node_modules) — a path the docs never named and that npm wipes on every reinstall,
+// so a documented redaction denylist / tts / companion config silently never loaded. NOW, in order:
+//   1. VORTEX_CU_CONFIG  — explicit absolute path override.
+//   2. <cwd>/computer-use.config.json — the instance root (the MCP host launches us with cwd = instance root);
+//      durable, outside node_modules, and where users are now told to put it.
+//   3. <dir>/computer-use.config.json — legacy scripts/ location, kept for backward compatibility.
+// When none exists we return the cwd path (the canonical "put it here" location), so callers treat config as absent.
+// Because a missing config means an EMPTY redaction denylist (no privacy protection), every "expected
+// config not loaded" case warns to stderr rather than failing silently — a silent inert denylist is the
+// exact trap this release fixes (codex r1, MEDIUM x2).
+function resolveConfigPath() {
+  const env = process.env.VORTEX_CU_CONFIG;
+  const cwd = join(process.cwd(), 'computer-use.config.json');
+  const legacy = join(dir, 'computer-use.config.json');
+  if (env && env.trim()) {
+    if (existsSync(env)) return env;
+    // Explicit path that doesn't exist: warn LOUD (likely a typo) and fall back, never silently honor a dead path.
+    process.stderr.write(`[computer-use MCP] WARNING: VORTEX_CU_CONFIG="${env}" does not exist — config (incl. the redaction denylist) is NOT loaded from it; falling back to the instance root.\n`);
+  }
+  if (existsSync(cwd)) {
+    if (existsSync(legacy)) process.stderr.write(`[computer-use MCP] NOTE: using the instance-root computer-use.config.json; a legacy ${legacy} also exists and is IGNORED.\n`);
+    return cwd;
+  }
+  if (existsSync(legacy)) return legacy;
+  return cwd;
+}
+// Resolve ONCE at load (so the warnings above fire at most once, not per config section).
+const CONFIG_PATH = resolveConfigPath();
+
+// ── redaction config (§8·§14) ─────────────────────────────────────────────
+// Normalize the denylist into env (JSON array) so children (worker / per-call spawn) inherit it -> no per-call args. Config source: env > config file.
+// The actual blocking is done by the backend (lib.ps1 Test-AxDenylist) right before CopyFromScreen (Node doesn't know which windows are inside the region/monitor).
+function loadRedactionConfig() {
+  let titles = [], procs = [];
+  try {
+    const cfgPath = CONFIG_PATH;
+    if (existsSync(cfgPath)) {
+      const r = (JSON.parse(readFileSync(cfgPath, 'utf8')) || {}).redaction || {};
+      if (Array.isArray(r.denyWindowTitles)) titles = r.denyWindowTitles;
+      if (Array.isArray(r.denyProcesses)) procs = r.denyProcesses;
+    }
+  } catch {}
+  try { if (process.env.VORTEX_CU_DENY_TITLES) titles = JSON.parse(process.env.VORTEX_CU_DENY_TITLES); } catch {}
+  try { if (process.env.VORTEX_CU_DENY_PROCS) procs = JSON.parse(process.env.VORTEX_CU_DENY_PROCS); } catch {}
+  titles = (Array.isArray(titles) ? titles : []).map(String).filter(Boolean);
+  procs = (Array.isArray(procs) ? procs : []).map(String).filter(Boolean);
+  process.env.VORTEX_CU_DENY_TITLES = JSON.stringify(titles);   // re-export for child inheritance (after normalization)
+  process.env.VORTEX_CU_DENY_PROCS = JSON.stringify(procs);
+  return { titles, procs };
+}
+const REDACTION = loadRedactionConfig();
+
+// ── TTS / audio-ducking config (file < env precedence, like the denylist) ──────────────────
+// Reads the `tts` section of computer-use.config.json and fills process.env ONLY where the matching env var is
+// unset, so a user can tune voice/engine/ducking in the config FILE (no env needed) while env still wins. The
+// values flow unchanged to the spawned speak helpers (speak-supertonic.mjs / speak.ps1), which read these env vars.
+function loadTtsConfig() {
+  let cfg = {};
+  try {
+    const cfgPath = CONFIG_PATH;
+    if (existsSync(cfgPath)) cfg = (JSON.parse(readFileSync(cfgPath, 'utf8')) || {}).tts || {};
+  } catch {}
+  const setIfUnset = (k, v) => { if (v !== undefined && v !== null && (process.env[k] === undefined || process.env[k] === '')) process.env[k] = String(v); };
+  setIfUnset('VORTEX_CU_TTS_ENGINE', cfg.engine);       // 'auto' (default) | 'supertonic' | 'heami'
+  setIfUnset('VORTEX_CU_TTS_VOICE', cfg.voice);         // Supertonic voice: F1..F5 / M1..M5
+  setIfUnset('VORTEX_CU_TTS_MODEL_DIR', cfg.modelDir);  // Supertonic model cache (default ~/.vortex/computer-use/supertonic-3)
+  setIfUnset('VORTEX_CU_TTS_LANG', cfg.lang);           // spoken language (defaults to the OCR language)
+  setIfUnset('VORTEX_CU_TTS_SPEED', cfg.speed);         // speech-rate multiplier (~1.0 = normal; empty = engine default)
+  if (cfg.duck === false) setIfUnset('VORTEX_CU_DUCK', 'off');   // lower other apps while speaking (default on)
+  // others -> original*factor during speech; clamp a finite value to 0..1 so a typo (e.g. 30) can't pass through (default 0.3).
+  const df = Number.isFinite(Number(cfg.duckFactor)) ? Math.max(0, Math.min(1, Number(cfg.duckFactor))) : cfg.duckFactor;
+  setIfUnset('VORTEX_CU_DUCK_FACTOR', df);
+}
+loadTtsConfig();
+
+// ── companion (adaptive screen companion) config — same file<env precedence ──
+// `companion.uiaCanvasMax` tunes the GPU-canvas (game/video) UIA cutoff; `companion.profiles` overrides per-class
+// cadence/proactivity (e.g. { "GAME": { "cadenceSec": 20 } }). Consumed by classify_activity.
+let COMPANION_PROFILES = {};
+function loadCompanionConfig() {
+  let cfg = {};
+  try {
+    const cfgPath = CONFIG_PATH;
+    if (existsSync(cfgPath)) cfg = (JSON.parse(readFileSync(cfgPath, 'utf8')) || {}).companion || {};
+  } catch {}
+  if (cfg.uiaCanvasMax != null && (process.env.VORTEX_CU_UIA_CANVAS_MAX === undefined || process.env.VORTEX_CU_UIA_CANVAS_MAX === '')) {
+    process.env.VORTEX_CU_UIA_CANVAS_MAX = String(cfg.uiaCanvasMax);
+  }
+  COMPANION_PROFILES = (cfg.profiles && typeof cfg.profiles === 'object') ? cfg.profiles : {};
+}
+loadCompanionConfig();
+
+// ── audit log (§8: metadata/HMAC only, original image not stored) ──────────────────────
+// Location = under LocalAppData (outside the instance data/ -> won't leak via corporate sync, codex MEDIUM). The key lives there too.
+const AUDIT_DIR = join(process.env.LOCALAPPDATA || join(homedir(), '.local', 'share'), 'vortex-computer-use', 'audit');
+function loadAuditKey() {
+  try {
+    mkdirSync(AUDIT_DIR, { recursive: true });
+    const kp = join(AUDIT_DIR, '.hmac-key');
+    if (existsSync(kp)) { const k = readFileSync(kp, 'utf8').trim(); if (k) return k; }
+    const k = randomBytes(32).toString('hex');
+    writeFileSync(kp, k, { mode: 0o600 });   // Windows ignores mode, but LocalAppData is per-user
+    return k;
+  } catch (e) {
+    // Auditing is a record, not an access control — a failed key setup must not block perception (capture); local tool availability. But don't swallow it silently — warn (codex r2 MEDIUM).
+    process.stderr.write(`[computer-use MCP] WARNING: audit log disabled — could not set up HMAC key (${(e && e.message) || e}). Perception still works; captures will NOT be audited.\n`);
+    return null;
+  }
+}
+const AUDIT_KEY = loadAuditKey();
+function auditHmac(buf) { return createHmac('sha256', AUDIT_KEY).update(buf).digest('hex'); }
+function auditLog(tool, payload, imageItems) {
+  if (!AUDIT_KEY) return;   // skip silently if key setup failed (the tool keeps working)
+  try {
+    const p = payload || {};
+    // Detect not only top-level redacted/partialRedacted but also the nested captures[].redacted of a multi-frame watch (codex r3 MEDIUM).
+    const isRed = !!(p.redacted || p.partialRedacted || (Array.isArray(p.captures) && p.captures.some((f) => f && f.redacted)));
+    const rec = {
+      ts: new Date().toISOString(), tool,
+      mode: typeof p.target === 'string' ? p.target : undefined,
+      titleHmac: p.window ? auditHmac(String(p.window)).slice(0, 16) : undefined,   // window title not stored in plaintext (HMAC only, A4-1)
+      redacted: isRed, reason: p.reason || undefined,
+      outputBytes: 0, contentHmac: undefined,
+    };
+    const h = createHmac('sha256', AUDIT_KEY);
+    if (imageItems && imageItems.length) {
+      for (const im of imageItems) { const b = Buffer.from(im.data, 'base64'); rec.outputBytes += b.length; h.update(b); }
+    } else { h.update(JSON.stringify(p)); }   // JSON.stringify blocks JSONL injection (newlines / control chars) (codex MEDIUM)
+    rec.contentHmac = h.digest('hex').slice(0, 32);
+    const day = rec.ts.slice(0, 10);
+    appendFileSync(join(AUDIT_DIR, `cu-${day}.jsonl`), JSON.stringify(rec) + '\n');
+  } catch {}
+}
+
+// OS-native backend (same as action-ext.mjs — a single source would be ideal, but it's duplicated since this is a PoC)
+const B = {
+  win32: {
+    probe:   ['pwsh', ['-NoProfile', '-File', join(dir, 'probe.ps1')]],
+    read:    ['pwsh', ['-NoProfile', '-File', join(dir, 'read-ui.ps1')]],
+    classify: ['pwsh', ['-NoProfile', '-File', join(dir, 'classify.ps1')]],
+    capture: ['pwsh', ['-NoProfile', '-File', join(dir, 'point-to-ask.ps1')]],
+  },
+  darwin: {
+    probe:   ['bash', [join(dir, 'mac', 'probe.sh')]],
+    read:    ['osascript', ['-l', 'JavaScript', join(dir, 'mac', 'read-ui.js')]],
+    capture: ['bash', [join(dir, 'mac', 'point-to-ask.sh')]],
+  },
+};
+
+// Returns: { payload, isError } — backend abnormal exit / non-JSON output is surfaced as isError (so an error never flows as if normal in the watch loop).
+function runBackend(kind, extraArgs = [], timeoutMs = 0) {
+  const b = B[plat]?.[kind];
+  if (!b) return { payload: { error: `unsupported platform/op: ${plat}/${kind}`, grade: 'P0 (manual) fallback' }, isError: true };
+  const [exe, base] = b;
+  // Optional hard timeout: a one-shot tool (e.g. classify_activity) must not let a hung COM/UIA call freeze the
+  // synchronous spawn (and thus the event loop). On timeout, spawnSync kills the child and sets r.error.
+  const opts = { encoding: 'utf8', maxBuffer: 8 * 1024 * 1024 };
+  if (timeoutMs > 0) { opts.timeout = timeoutMs; opts.killSignal = 'SIGKILL'; }
+  const r = spawnSync(exe, [...base, ...extraArgs], opts);
+  if (r.error) return { payload: { error: String(r.error) }, isError: true };
+  const failed = r.status !== 0;
+  try {
+    return { payload: JSON.parse(r.stdout), isError: failed };
+  } catch {
+    return { payload: { error: 'backend produced non-JSON output', exitCode: r.status, raw: (r.stdout || '').trim(), stderr: (r.stderr || '').trim() }, isError: true };
+  }
+}
+
+// Async backend runner for long/streaming ops (watch_capture). Never blocks the event loop, and a hard
+// timeout kills the child and returns isError — so one watch call can't hang the whole MCP server (codex #high).
+function runBackendAsync(kind, extraArgs = [], timeoutMs = 120000, cleanupDir = null) {
+  return new Promise((resolve) => {
+    const b = B[plat]?.[kind];
+    if (!b) return resolve({ payload: { error: `unsupported platform/op: ${plat}/${kind}`, grade: 'P0 (manual) fallback' }, isError: true });
+    const [exe, base] = b;
+    const MAX_OUT = 16 * 1024 * 1024;   // cap stdout/stderr accumulation; abort on overflow (codex #med DoS)
+    let out = '', err = '', settled = false, pending = null, killFallback = null;
+    const child = spawn(exe, [...base, ...extraArgs], { stdio: ['ignore', 'pipe', 'pipe'] });
+    const resolveOnce = (payload, isError, cleanupOwned = false) => {
+      if (settled) return; settled = true;
+      clearTimeout(timer); if (killFallback) clearTimeout(killFallback);
+      resolve({ payload, isError, cleanupOwned });
+    };
+    // Abort = decide the outcome + kill the child, but RESOLVE only after the child has CLOSED (file handles released)
+    // so the caller's reqDir cleanup can't race a still-flushing process (codex #high). If close never arrives within the
+    // grace window, resolve anyway but TAKE OWNERSHIP of reqDir cleanup (deferred to the eventual close, with a hard reaper)
+    // and signal cleanupOwned so the caller skips its own rmSync — we never delete a dir a live pwsh might still hold.
+    const abort = (payload) => {
+      if (pending || settled) return;
+      pending = payload;
+      try { child.kill(); } catch {}
+      killFallback = setTimeout(() => {
+        if (cleanupDir) {
+          child.once('close', () => { try { rmSync(cleanupDir, { recursive: true, force: true }); } catch {} });
+          const reaper = setTimeout(() => { try { rmSync(cleanupDir, { recursive: true, force: true }); } catch {} }, 30000);
+          if (reaper.unref) reaper.unref();
+        }
+        resolveOnce(pending, true, cleanupDir != null);
+      }, 3000);
+      if (killFallback.unref) killFallback.unref();
+    };
+    const timer = setTimeout(() => abort({ error: `watch timed out after ${timeoutMs}ms`, partial: (out || '').slice(0, 200) }), timeoutMs);
+    child.stdout.setEncoding('utf8'); child.stdout.on('data', (d) => { if (pending || settled) return; out += d; if (out.length > MAX_OUT) abort({ error: 'backend stdout exceeded cap' }); });
+    child.stderr.setEncoding('utf8'); child.stderr.on('data', (d) => { if (pending || settled || err.length >= MAX_OUT) return; err += d; });
+    child.on('error', (e) => resolveOnce({ error: String((e && e.message) || e) }, true));
+    child.on('close', (code) => {
+      if (pending) return resolveOnce(pending, true);   // aborted AND child closed within grace → caller can clean safely
+      if (settled) return;
+      try { resolveOnce(JSON.parse(out), code !== 0); }
+      catch { resolveOnce({ error: 'backend produced non-JSON output', exitCode: code, raw: (out || '').trim().slice(0, 500), stderr: (err || '').trim().slice(0, 500) }, true); }
+    });
+  });
+}
+
+// ── resident PowerShell worker (Windows MCP only) ─────────────────────────────
+// Removes the per-call pwsh re-spawn (~150-370ms setup) — keeps one worker alive and talks to it over JSON-lines.
+// Safeguards (codex cross-check): lazy start (spawn only on first call) · idle shutdown (N seconds with no command) ·
+//   single-worker command queue serialization · id matching · a generation (= process identity) guard to ignore stale events ·
+//   on crash, reject in-flight (no auto-retry of side-effect ops) · on no-response timeout, kill the worker and re-spawn.
+// Multi-instance: each MCP server has its own worker (dedicated pipe) -> no conflicts. On parent exit the
+//   worker auto-terminates via stdin EOF. watch isn't run on the worker (avoids long occupation) — done per-call.
+const WORKER = ['pwsh', ['-NoProfile', '-File', join(dir, 'worker.ps1')]];
+const WORKER_IDLE_MS = Number(process.env.VORTEX_AX_WORKER_IDLE_MS || 60000);
+const OP_TIMEOUT_MS = Number(process.env.VORTEX_AX_OP_TIMEOUT_MS || 10000);
+
+class WorkerManager {
+  constructor([exe, args]) { this.exe = exe; this.args = args; this.worker = null; this.buf = ''; this.seq = 0; this.inFlight = null; this.queue = []; this.idleTimer = null; }
+
+  call(op, args, timeoutMs = OP_TIMEOUT_MS) {
+    return new Promise((resolve, reject) => { this.queue.push({ op, args, timeoutMs, resolve, reject }); this._pump(); });
+  }
+
+  _spawn() {
+    const child = spawn(this.exe, this.args, { stdio: ['pipe', 'pipe', 'pipe'] });
+    this.worker = child; this.buf = '';
+    child.stdout.setEncoding('utf8');
+    child.stdout.on('data', (chunk) => {
+      if (child !== this.worker) return;                 // generation guard: ignore the old worker
+      this.buf += chunk;
+      let nl;
+      while ((nl = this.buf.indexOf('\n')) >= 0) {
+        const line = this.buf.slice(0, nl).trim();
+        this.buf = this.buf.slice(nl + 1);
+        if (line) this._onLine(line);
+      }
+    });
+    child.stderr.on('data', (d) => process.stderr.write(`[ax-worker] ${d}`));
+    child.stdin.on('error', () => {});                   // EPIPE etc. are cleaned up in exit/error — here we only prevent an unhandled crash
+    child.on('error', (err) => this._onGone(child, `worker spawn/runtime error: ${err && err.message}`));
+    child.on('exit', (code) => this._onGone(child, `worker exited (code ${code}) before responding`));
+  }
+
+  _onGone(child, reason) {
+    if (child !== this.worker) return;                   // generation guard: ignore an old / already-replaced worker
+    this.worker = null;
+    const f = this.inFlight;
+    if (f) { clearTimeout(f.timer); this.inFlight = null; f.reject(new Error(reason)); }
+    if (this.queue.length) this._pump();                 // run the backlog on a new worker (no auto-retry of side-effect ops)
+  }
+
+  _onLine(line) {
+    let msg;
+    try { msg = JSON.parse(line); } catch { process.stderr.write(`[ax-worker] non-JSON line dropped: ${line.slice(0, 120)}\n`); return; }
+    const f = this.inFlight;
+    if (!f || msg.id !== f.id) return;                   // stale/mismatch
+    clearTimeout(f.timer); this.inFlight = null;
+    if (msg.ok) f.resolve(msg.result); else f.reject(new Error(msg.error || 'worker error'));
+    this._pump();
+  }
+
+  _pump() {
+    if (this.inFlight) return;
+    if (this.queue.length === 0) { this._scheduleIdle(); return; }
+    if (this.idleTimer) { clearTimeout(this.idleTimer); this.idleTimer = null; }
+    if (!this.worker) this._spawn();
+    const job = this.queue.shift();
+    const id = ++this.seq;
+    const timer = setTimeout(() => {
+      if (this.inFlight && this.inFlight.id === id) {     // no response -> assume the worker is stuck and kill it
+        const w = this.worker; this.worker = null;
+        const rej = this.inFlight.reject; this.inFlight = null;
+        if (w) { try { w.kill(); } catch {} }
+        rej(new Error(`worker op timeout after ${job.timeoutMs}ms`));
+        this._pump();
+      }
+    }, job.timeoutMs);
+    this.inFlight = { id, resolve: job.resolve, reject: job.reject, timer };
+    try { this.worker.stdin.write(JSON.stringify({ id, op: job.op, args: job.args }) + '\n'); }
+    catch (e) {
+      clearTimeout(timer); this.inFlight = null;
+      const w = this.worker; this.worker = null;
+      if (w) { try { w.kill(); } catch {} }
+      job.reject(e); this._pump();                        // assume the worker is dead, clean up, and proceed to the next request (prevents queue stall)
+    }
+  }
+
+  _scheduleIdle() {
+    if (this.idleTimer || !this.worker) return;
+    this.idleTimer = setTimeout(() => { this.idleTimer = null; if (!this.inFlight && this.queue.length === 0) this.dispose(); }, WORKER_IDLE_MS);
+    if (this.idleTimer.unref) this.idleTimer.unref();
+  }
+
+  dispose() {
+    if (this.idleTimer) { clearTimeout(this.idleTimer); this.idleTimer = null; }
+    const w = this.worker; this.worker = null;
+    if (w) { try { w.stdin.end(); } catch {} try { w.kill(); } catch {} }
+  }
+}
+
+const workerMgr = new WorkerManager(WORKER);
+
+// watchIds this server process has dispatched a poll_change for — to detect a SILENT baseline reset
+// (the resident worker was idle-disposed / killed / crashed and lost its in-memory watch state). codex #high.
+const pollSeen = new Set();
+
+// Server-owned volatility (codex blocker, design §8): when a backend wrote screenshot file(s), read them inline as
+// MCP image content and DELETE them immediately — no on-disk path is returned, so a crashed/idle caller can't leave
+// sensitive screenshots behind. Bounded: at most MAX_INLINE_IMAGES are embedded; extras are still unlinked + counted.
+const MAX_INLINE_IMAGES = 8;
+const MAX_IMAGE_BYTES = 8 * 1024 * 1024;          // per-image cap (codex #med — bound response size, avoid blocking read)
+const MAX_TOTAL_INLINE_BYTES = 24 * 1024 * 1024;  // total inline cap across a response
+function materializeImages(payload) {
+  const images = [];
+  let inlined = 0, dropped = 0, totalBytes = 0;
+  const take = (p) => {
+    if (!p || typeof p !== 'string') return false;
+    let ok = false;
+    try {
+      const sz = statSync(p).size;
+      if (inlined < MAX_INLINE_IMAGES && sz <= MAX_IMAGE_BYTES && totalBytes + sz <= MAX_TOTAL_INLINE_BYTES) {
+        images.push({ type: 'image', data: readFileSync(p).toString('base64'), mimeType: 'image/png' });
+        inlined++; totalBytes += sz; ok = true;
+      } else { dropped++; }
+    } catch { /* file already gone — fine */ }
+    try { unlinkSync(p); } catch {}
+    return ok;
+  };
+  if (payload && typeof payload === 'object') {
+    if (payload.path) { const g = take(payload.path); delete payload.path; payload.image = g ? 'inline' : 'unavailable'; }
+    if (Array.isArray(payload.captures)) {
+      for (const f of payload.captures) { if (f && f.path) { const g = take(f.path); delete f.path; f.image = g ? 'inline' : 'unavailable'; } }
+    }
+    if (dropped > 0) payload.imagesDropped = dropped;
+  }
+  return images;
+}
+
+async function viaWorker(op, args, timeoutMs) {
+  try { return { payload: await workerMgr.call(op, args, timeoutMs), isError: false }; }
+  catch (e) { return { payload: { error: String((e && e.message) || e) }, isError: true }; }
+}
+
+// ── watch sessions: background noise-filtered watch + in-memory event buffer (design §22.1·§22.2) ──
+// start_watch spins a non-blocking poll loop OWNED BY THIS SERVER — not a separate process, and not the
+// single worker's request slot (the worker stays a dumb single-shot capture engine; long watches must
+// not occupy it, codex #1). Each tick polls the target's frame-to-frame change via the worker, feeds it
+// to a NoiseFilter (debounce + cooldown + maxWait), and on an emit captures the settled frame and
+// appends an event to a bounded in-memory ring buffer. get_events drains the buffer (non-blocking,
+// batched -> few LLM looks); stop_watch ends it. The buffer is memory-only with count/byte/TTL caps and
+// the frames live in RAM only (design §24.1 — no screen history on disk; the brief capture temp file is
+// materialized inline + unlinked at once). Denylist + volatility apply per frame via the reused worker ops.
+// Concurrency is deliberately conservative: every watch tick enqueues a poll_change on the SAME single
+// PowerShell worker the foreground tools use, so too many fast watches would starve the agent's own
+// capture_screen/read_ui calls (codex MED). 4 watches at a 400ms floor caps worst-case worker pressure at
+// ~10 polls/s; a global foreground-priority queue is the documented next step if this proves tight.
+const MAX_WATCHES = 4;                          // concurrent background watches cap
+const WATCH_MIN_INTERVAL = 400, WATCH_MAX_INTERVAL = 5000;
+const WATCH_DEFAULT_INTERVAL = 600;
+const WATCH_MAX_DURATION_MS = 30 * 60 * 1000;   // auto-stop a forgotten watch (privacy §8 + runaway guard)
+const EVENT_RING_MAX = 64;                       // max buffered events per watch (oldest dropped when full)
+const EVENT_TTL_MS = 5 * 60 * 1000;              // buffered events older than this are evicted unread (§24.1 TTL)
+const EVENT_IMG_MAX_BYTES = 4 * 1024 * 1024;     // per-event inline image cap
+const WATCH_BUF_MAX_BYTES = 24 * 1024 * 1024;    // total inline image bytes held across one watch buffer
+const GET_EVENTS_MAX = 12;                       // events returned per get_events call
+const GET_EVENTS_MAX_IMAGES = 8;                 // image items returned per get_events call (MCP response bound)
+const round2 = (n) => (Number.isFinite(Number(n)) ? Math.round(Number(n) * 100) / 100 : n);
+
+function buildWatchTargetArgs(a) {
+  const t = {};
+  if (a.region) t.region = `${a.region.x},${a.region.y},${a.region.w},${a.region.h}`;
+  if (a.window) t.windowMatch = String(a.window);
+  if (a.monitor != null) t.monitor = String(a.monitor);
+  if (a.boxW) t.boxW = a.boxW;
+  if (a.boxH) t.boxH = a.boxH;
+  if (a.detail) t.detail = String(a.detail);
+  return t;
+}
+function watchTargetLabel(a) {
+  if (a.region) return `region ${a.region.x},${a.region.y} ${a.region.w}x${a.region.h}`;
+  if (a.window) return `window "${a.window}"`;
+  if (a.monitor != null) return `monitor ${a.monitor}`;
+  return 'cursor';
+}
+
+// ── reflex path: fixed-phrase / OCR readout spoken LOCALLY, no cloud round-trip (design §22.3) ──
+// A registered trigger crossing fires beep / say(fixed phrase) / ocr(read the region's text) directly from
+// the watch loop. Speech goes through the GLOBAL speech safety (codex r1): screen-derived text (ocr) is
+// never voiced raw — it gets a "화면 글자:" provenance prefix + control/secret shaping + a per-minute
+// utterance & seconds budget with no-overlap and auto-mute. OCR uses the in-box Windows PowerShell 5.1
+// (pwsh 7 can't load WinRT OCR); TTS uses pwsh 7 System.Speech. Both are spawned (non-blocking) and
+// degrade silently if absent. The OCR crop comes from the SAME denylist-gated worker capture (never an
+// arbitrary file), so a denylisted window blocks reflex OCR too (codex r1 MED).
+const PS51 = join(process.env.WINDIR || 'C:\\Windows', 'System32', 'WindowsPowerShell', 'v1.0', 'powershell.exe');
+const OCR_SCRIPT = join(dir, 'ocr.ps1');
+const SPEAK_SCRIPT = join(dir, 'speak.ps1');
+const OCR_LANG = process.env.VORTEX_CU_OCR_LANG || 'ko';
+const SPEAK_TOWAV_DIR = process.env.VORTEX_CU_SPEAK_TOWAV_DIR || '';   // test hook: render speech to WAV instead of audio
+const speechBudget = new SpeechBudget();                              // GLOBAL across all watches (one set of ears)
+let speakingChild = null;
+let speakSeq = 0;
+
+const MAX_SPEAK_MS = 30000;   // hard upper bound for one utterance so a hung TTS can't hold the no-overlap lock forever (codex r2 MED)
+
+// Provenance for screen-derived speech (ocr/vision): by DEFAULT a self-documenting verbal prefix ("화면 글자:" …)
+// so even a first-time listener knows the source — this is the prior HIGH control (voicing raw screen text is a
+// social-engineering channel) and a chime alone can't convey it, so spoken stays the default (codex r1 HIGH).
+// VORTEX_CU_SPEECH_PROVENANCE=earcon is an explicit opt-in to a non-verbal chime instead. Either way the source
+// is marked. Agent/user-authored speech ('agent' via the `speak` tool, and a fixed 'say' phrase) is trusted
+// content and carries NO provenance mark.
+const SPEECH_PROVENANCE_EARCON = process.env.VORTEX_CU_SPEECH_PROVENANCE === 'earcon';
+const EARCON_EST_MS = 250;   // chime duration to reserve against the speech budget when earcon mode is on (codex r1 LOW)
+
+// ── TTS engine: Supertonic (separate-install ONNX neural, higher quality) with Heami fallback ──
+// The audio-RENDER step only. The safety/budget/provenance layer above (buildUtterance + speechBudget) is
+// engine-agnostic; only the final spawn differs. Engine is resolved ONCE at startup (not per-utterance): 'auto'
+// picks Supertonic when its models + onnxruntime-node are present, else the always-available Heami (speak.ps1).
+// VORTEX_CU_TTS_ENGINE=auto|supertonic|heami. Models live in VORTEX_CU_TTS_MODEL_DIR (fetch-supertonic.mjs writes
+// the default ~/.vortex/computer-use/supertonic-3). Voice VORTEX_CU_TTS_VOICE (F1..F5/M1..M5), lang follows OCR_LANG.
+const SPEAK_SUPERTONIC = join(dir, 'speak-supertonic.mjs');
+const TTS_ENGINE_CFG = (process.env.VORTEX_CU_TTS_ENGINE || 'auto').toLowerCase();
+const TTS_MODEL_DIR = process.env.VORTEX_CU_TTS_MODEL_DIR || join(homedir(), '.vortex', 'computer-use', 'supertonic-3');
+const TTS_VOICE = process.env.VORTEX_CU_TTS_VOICE || 'F1';
+const TTS_LANG = process.env.VORTEX_CU_TTS_LANG || OCR_LANG;
+// Speech-rate multiplier (config `tts.speed` / env VORTEX_CU_TTS_SPEED). Empty/invalid -> each engine keeps its own
+// default (Supertonic 1.05; Heami SAPI rate 0). Supertonic takes the multiplier verbatim as --speed; Heami's SAPI
+// rate is an integer -10..10, so map the multiplier linearly around 1.0 (1.18 -> +2) and clamp. The multiplier itself
+// is clamped to 0.5..2.0 so a config typo (e.g. 18 for 1.8) can't produce unusable audio. Unset or blank ('' /
+// whitespace) -> engine default (blank is checked BEFORE Number(), since Number('') is 0, not NaN); a non-numeric
+// value -> NaN -> engine default; an explicit 0 is a real (invalid) speed that clamps up to 0.5.
+const TTS_SPEED_ENV = process.env.VORTEX_CU_TTS_SPEED;
+const TTS_SPEED_RAW = (TTS_SPEED_ENV == null || String(TTS_SPEED_ENV).trim() === '') ? NaN : Number(TTS_SPEED_ENV);
+const TTS_SPEED = Number.isFinite(TTS_SPEED_RAW) ? Math.max(0.5, Math.min(2.0, TTS_SPEED_RAW)) : null;
+const HEAMI_RATE = TTS_SPEED != null ? Math.max(-10, Math.min(10, Math.round((TTS_SPEED - 1) * 10))) : null;
+function supertonicAvailable() {
+  try {
+    const onnx = join(TTS_MODEL_DIR, 'onnx');
+    const need = ['duration_predictor.onnx', 'text_encoder.onnx', 'vector_estimator.onnx', 'vocoder.onnx', 'tts.json', 'unicode_indexer.json'];
+    if (!need.every((f) => existsSync(join(onnx, f)))) return false;
+    if (!existsSync(join(TTS_MODEL_DIR, 'voice_styles', `${TTS_VOICE}.json`))) return false;
+    import.meta.resolve('onnxruntime-node');   // throws if the optional dep isn't installed -> fall back to Heami
+    return true;
+  } catch { return false; }
+}
+// 'heami' forces SAPI; 'supertonic'/'auto' use Supertonic when actually available, else fall back (never go mute).
+const TTS_ENGINE = TTS_ENGINE_CFG === 'heami' ? 'heami'
+  : ((TTS_ENGINE_CFG === 'supertonic' || TTS_ENGINE_CFG === 'auto') && supertonicAvailable() ? 'supertonic' : 'heami');
+
+// Speak a finalized utterance without blocking the watch loop.
+//   kind: 'agent' (the `speak` tool — agent's judged words, no mark, redacted) | 'say' (fixed phrase, no mark)
+//       | 'ocr' | 'vision' (screen-derived, untrusted — marked + shaped).
+function reflexSpeak(kind, text) {
+  const screenDerived = kind === 'ocr' || kind === 'vision';
+  const earcon = screenDerived && SPEECH_PROVENANCE_EARCON;
+  // Earcon mode carries provenance via the chime, so DON'T bake the spoken prefix — but keep the SAME shaping
+  // (control-char strip, secret redaction, length cap) buildUtterance applies to screen text.
+  const utt = earcon ? sanitizeForSpeech(text) : buildUtterance(kind, text);
+  if (!utt) return { ok: false, reason: 'empty' };
+  const res = speechBudget.tryReserve(estimateSpeechMs(utt) + (earcon ? EARCON_EST_MS : 0), Date.now());
+  if (!res.ok) return res;
+  try {
+    let child;
+    if (TTS_ENGINE === 'supertonic') {
+      // Render via the separate-install ONNX neural engine (higher quality). Same spawn lifecycle as Heami below:
+      // non-blocking, killed by the MAX_SPEAK_MS watchdog, budget released exactly once on exit.
+      const sargs = [SPEAK_SUPERTONIC, '--text', utt, '--voice', TTS_VOICE, '--lang', TTS_LANG, '--model-dir', TTS_MODEL_DIR];
+      if (TTS_SPEED != null) sargs.push('--speed', String(TTS_SPEED));
+      if (earcon) sargs.push('--earcon');
+      if (SPEAK_TOWAV_DIR) sargs.push('--to-wav', join(SPEAK_TOWAV_DIR, `utt-${++speakSeq}.wav`));
+      child = spawn(process.execPath, sargs, { stdio: 'ignore' });
+    } else {
+      const args = ['-NoProfile', '-File', SPEAK_SCRIPT, '-Text', utt];
+      if (HEAMI_RATE != null) args.push('-Rate', String(HEAMI_RATE));
+      if (earcon) args.push('-Earcon', 'screen');
+      if (SPEAK_TOWAV_DIR) args.push('-ToWav', join(SPEAK_TOWAV_DIR, `utt-${++speakSeq}.wav`));
+      child = spawn('pwsh', args, { stdio: 'ignore' });
+    }
+    speakingChild = child;
+    // Release the budget EXACTLY ONCE per child, and only if this child still owns the active reservation —
+    // a late/duplicate exit+error event must not free a newer utterance's slot (codex r2 LOW/MED). A hard
+    // timeout kills a hung speaker so it can't deadlock no-overlap (codex r2 MED).
+    let released = false;
+    const done = () => { if (released) return; released = true; clearTimeout(killer); if (speakingChild === child) { speakingChild = null; speechBudget.release(); } };
+    const killer = setTimeout(() => { try { child.kill(); } catch {} done(); }, MAX_SPEAK_MS);
+    if (killer.unref) killer.unref();
+    child.on('exit', done); child.on('error', done);
+    return { ok: true, uttered: utt };
+  } catch { speechBudget.release(); return { ok: false, reason: 'spawn-failed' }; }
+}
+
+// OCR a worker-captured temp PNG via the 5.1 helper, hard time-bounded; returns recognized text or null.
+// Resolves only AFTER the child has CLOSED (even on timeout: kill, then wait for close) so the PNG file
+// handle is released before the caller unlinks the crop — otherwise a still-open handle leaves a screen
+// crop on disk (codex r2 MED).
+function runOcr(pngPath) {
+  return new Promise((resolve) => {
+    let out = '', settled = false, killed = false, child;
+    const done = (v) => { if (settled) return; settled = true; clearTimeout(timer); resolve(v); };
+    try {
+      child = spawn(PS51, ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Bypass', '-File', OCR_SCRIPT, '-ImagePath', pngPath, '-Lang', OCR_LANG], { stdio: ['ignore', 'pipe', 'ignore'] });
+    } catch { return resolve(null); }
+    const timer = setTimeout(() => { killed = true; try { child.kill(); } catch {} }, 6000);
+    child.stdout.setEncoding('utf8');
+    child.stdout.on('data', (d) => { out += d; if (out.length > 65536) { killed = true; try { child.kill(); } catch {} } });
+    child.on('error', () => done(null));
+    child.on('close', () => { if (killed) return done(null); try { const j = JSON.parse(out.trim()); done(j && j.ok ? j.text : null); } catch { done(null); } });
+  });
+}
+
+// ── local VLM "middle path" (design §22.3 / §23.2 / §24): OPTIONAL, GPU-gated, off unless a trusted fast
+// local endpoint is reachable. The reflex/brain paths work with no GPU; this only adds a smarter local
+// description when the hardware allows. Capability is PROBED per session (never stored), with a SYNTHETIC
+// image first (never a real crop before the endpoint is trusted), and gated on a measured latency SLA.
+const VLM = parseVlmConfig();
+const VLM_PROBE_TTL = 5 * 60 * 1000;
+let vlmProbe = null, vlmProbeAt = 0, vlmProbing = null;
+
+const VLM_MAX_CROP_BYTES = 6 * 1024 * 1024;   // bound the data: URL we send (crop is already size-bounded; defence-in-depth)
+const VLM_MAX_RESP_BYTES = 256 * 1024;        // a short description reply is tiny — cap a hostile/huge response (codex MED)
+
+// Read a response body up to maxBytes, then stop (so a huge/streaming reply can't exhaust memory).
+async function readCappedText(r, maxBytes) {
+  const reader = r.body && r.body.getReader ? r.body.getReader() : null;
+  if (!reader) { const t = await r.text(); return t.length <= maxBytes ? t : null; }
+  let total = 0; const parts = [];
+  for (;;) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    if (value) { total += value.length; if (total > maxBytes) { try { await reader.cancel(); } catch {} return null; } parts.push(Buffer.from(value)); }
+  }
+  return Buffer.concat(parts).toString('utf8');
+}
+
+async function httpChat(body, timeoutMs) {
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), timeoutMs);
+  try {
+    const headers = { 'content-type': 'application/json' };
+    if (VLM.key) headers.authorization = `Bearer ${VLM.key}`;
+    // redirect:'manual' so a 3xx can't replay this POST (with a real crop) to a DIFFERENT host, bypassing
+    // the remote-off trust gate (codex MED). A local VLM server never needs redirects → treat any non-2xx as fail.
+    const r = await fetch(`${VLM.endpoint}/chat/completions`, { method: 'POST', headers, body: JSON.stringify(body), signal: ctrl.signal, redirect: 'manual' });
+    if (!r.ok || r.type === 'opaqueredirect') return { ok: false, status: r.status, redirected: r.type === 'opaqueredirect' };
+    const clen = Number(r.headers.get('content-length') || 0);
+    if (clen && clen > VLM_MAX_RESP_BYTES) return { ok: false, error: 'response too large' };
+    const txt = await readCappedText(r, VLM_MAX_RESP_BYTES);
+    if (txt === null) return { ok: false, error: 'response exceeded cap' };
+    try { return { ok: true, json: JSON.parse(txt) }; } catch { return { ok: false, error: 'non-JSON response' }; }
+  } catch (e) { return { ok: false, error: String((e && e.name === 'AbortError') ? 'timeout' : (e && e.message) || e) }; }
+  finally { clearTimeout(timer); }
+}
+
+// Probe the VLM with a SYNTHETIC image only (no real screen) — measure reachability + latency, confirm a
+// usable reply. Cached per process for VLM_PROBE_TTL. Note: synthetic latency is a LOWER bound (a real crop
+// is larger/slower), so it gates OUT a too-slow endpoint but doesn't guarantee a real call is within budget.
+async function probeVlm() {
+  const gate = vlmGate(VLM);
+  if (!gate.ok) return { available: false, reason: gate.reason, tier: gate.tier };
+  const now = Date.now();
+  if (vlmProbe && now - vlmProbeAt < VLM_PROBE_TTL) return vlmProbe;
+  if (vlmProbing) return vlmProbing;
+  vlmProbing = (async () => {
+    const t0 = Date.now();
+    const res = await httpChat(buildChatBody(VLM.model, '이미지가 보이면 ok 라고만 답해.', SYNTH_PNG_B64, 8), VLM.slaMs);
+    const latencyMs = Date.now() - t0;
+    let out;
+    if (!res.ok) out = { available: false, reason: `endpoint not reachable (${res.error || 'http ' + res.status})`, tier: gate.tier };
+    else if (latencyMs > VLM.slaMs) out = { available: false, reason: `too slow (${latencyMs}ms > ${VLM.slaMs}ms SLA)`, tier: gate.tier, latencyMs };
+    else out = { available: true, tier: gate.tier, model: VLM.model, latencyMs };
+    vlmProbe = out; vlmProbeAt = Date.now(); vlmProbing = null;
+    return out;
+  })();
+  return vlmProbing;
+}
+
+// Describe a worker-captured crop with the local VLM. Returns a short text or null. Output is UNTRUSTED
+// (the caller speaks it via buildUtterance('vision', …) so it gets the "로컬 비전:" prefix + shaping + budget).
+async function runVlm(pngPath) {
+  let b64;
+  try {
+    if (statSync(pngPath).size > VLM_MAX_CROP_BYTES) return null;   // bound the data: URL (codex MED)
+    b64 = readFileSync(pngPath).toString('base64');
+  } catch { return null; }
+  const res = await httpChat(buildChatBody(VLM.model, DEFAULT_VLM_PROMPT, b64, VLM.maxTokens), Math.min(20000, VLM.slaMs * 3));
+  if (!res.ok) return null;
+  return extractText(res.json) || null;
+}
+
+// Validate caller triggers into safe internal trigger objects. Triggers evaluate against the watch's main
+// target region. Capped, clamped, action-gated. `say` content is sanitized (not screen-derived → not redacted).
+function parseTriggers(raw) {
+  if (!Array.isArray(raw)) return [];
+  const out = [];
+  for (const t of raw.slice(0, 8)) {
+    if (!t || typeof t !== 'object') continue;
+    const action = ['say', 'ocr', 'vision'].includes(t.action) ? t.action : 'beep';
+    const th = Number(t.threshold);
+    const threshold = Math.min(100, Math.max(0.5, Number.isFinite(th) && th > 0 ? th : 12));
+    const cd = Number(t.cooldownMs);
+    const cooldownMs = Math.min(600000, Math.max(1500, Number.isFinite(cd) && cd > 0 ? Math.floor(cd) : 8000));
+    const trg = { action, threshold, cooldownMs, armed: true, pending: false, pendingTs: 0, lastFireTs: 0, fires: 0 };
+    if (action === 'say') trg.say = sanitizeForSpeech(String(t.say || ''), { redactTokens: false }) || '알림';
+    if (action === 'beep') trg.beep = ['info', 'warn', 'urgent'].includes(t.beep) ? t.beep : 'warn';
+    if (action === 'ocr' || action === 'vision') { const dw = Number(t.dwellMs); trg.dwellMs = Math.min(3000, Math.max(0, Number.isFinite(dw) && dw >= 0 ? dw : 700)); }
+    out.push(trg);
+  }
+  return out;
+}
+
+class WatchSession {
+  constructor(watchId, a) {
+    this.watchId = watchId;
+    this.bgId = `__watch_${watchId}`;             // worker poll-continuity slot, isolated from agent poll_change ids
+    this.targetArgs = buildWatchTargetArgs(a);
+    this.targetLabel = watchTargetLabel(a);
+    const iv = Number(a.pollIntervalMs);
+    this.pollIntervalMs = Math.min(WATCH_MAX_INTERVAL, Math.max(WATCH_MIN_INTERVAL, Number.isFinite(iv) && iv > 0 ? Math.floor(iv) : WATCH_DEFAULT_INTERVAL));
+    this.filter = new NoiseFilter(a);
+    this.cfg = this.filter.cfg;
+    this.outDir = mkdtempSync(join(tmpdir(), 'vortex-cu-watch-'));
+    this.ring = [];                               // [{seq, ts, reason, peakPct, ..., _img?}]
+    this.seq = 0; this.dropped = 0; this.bufBytes = 0;
+    this.polls = 0; this.emitted = 0; this.redactedFrames = 0;
+    this.lastChangePct = null; this.lastPollTs = null;
+    this.lastError = null; this.consecErrors = 0;
+    this.triggers = parseTriggers(a.triggers);    // reflex triggers on the main target region (§22.3)
+    this.reflexFires = 0; this.lastReflex = null;
+    this.startedAt = Date.now();
+    this.stopped = false; this.stopReason = null;
+    this._timer = null;
+  }
+
+  start() { this._schedule(0); return this.status(); }   // first tick goes through the same guarded path (no unhandled rejection, codex LOW)
+
+  _schedule(delayMs = this.pollIntervalMs) {
+    if (this.stopped) return;
+    this._timer = setTimeout(() => { this._tick().catch(() => { if (!this.stopped) this._schedule(); }); }, delayMs);
+    if (this._timer.unref) this._timer.unref();
+  }
+
+  async _tick() {
+    if (this.stopped) return;
+    this._evict();   // enforce the TTL on EVERY tick, not just on emit/get_events — a buffered frame must not outlive EVENT_TTL_MS even if the client never polls (codex HIGH, privacy §24.1)
+    if (Date.now() - this.startedAt > WATCH_MAX_DURATION_MS) { this._stop('max watch duration reached (auto-stopped)'); return; }
+    this.polls++;
+    const reset = this.polls === 1;
+    const wa = { ...this.targetArgs, watchId: this.bgId };
+    if (reset) wa.reset = true;
+    const res = await viaWorker('poll_change', wa, OP_TIMEOUT_MS);
+    if (this.stopped) return;   // stop_watch/dispose may have fired during the await — don't resume into a torn-down session (codex HIGH race)
+    const p = res.payload || {};
+    if (res.isError) {
+      this.consecErrors++; this.lastError = String(p.error || 'poll failed');
+      if (this.consecErrors >= 5) { this._stop(`stopped after repeated poll errors: ${this.lastError}`); return; }
+    } else {
+      this.consecErrors = 0;
+      this.lastChangePct = p.changePct != null ? round2(p.changePct) : null;
+      this.lastPollTs = Date.now();
+      if (p.redacted) {
+        // A denylisted window overlaps the target -> no capture this frame. Treat as a blind gap (don't feed
+        // the filter a fake diff); surface the count in status so the agent knows the watch is partially blind.
+        this.redactedFrames++;
+      } else {
+        const baseline = p.baseline === true;     // includes a silent worker stateReset (fresh baseline)
+        const c = p.changePct != null ? p.changePct : 0;
+        const emit = this.filter.push({ changePct: c, now: this.lastPollTs, baseline });
+        if (emit) { try { await this._onEmit(emit, p); } catch (e) { this.lastError = `emit/capture failed: ${String((e && e.message) || e)}`; } }
+        // Reflex triggers run on the RAW per-tick change (not the settled-event path) — fast local beep/say/ocr.
+        if (!baseline && this.triggers.length) { try { await this._evalReflexes(c, this.lastPollTs); } catch (e) { this.lastError = `reflex failed: ${String((e && e.message) || e)}`; } }
+      }
+    }
+    if (!this.stopped) this._schedule();
+  }
+
+  async _onEmit(emit, pollPayload) {
+    const cap = await viaWorker('capture', { ...this.targetArgs, outDir: this.outDir }, OP_TIMEOUT_MS);
+    if (this.stopped) {
+      materializeImages(cap.payload);   // stopped during the capture await — unlink the just-captured temp frame and drop it (don't push into a disposed session, codex HIGH race)
+      try { rmSync(this.outDir, { recursive: true, force: true }); } catch {}   // the worker may have recreated outDir to write that frame — clear the now-empty dir (codex r2 residual)
+      return;
+    }
+    const cp = cap.payload || {};
+    const ev = { seq: ++this.seq, ts: Date.now(), reason: emit.reason, peakPct: round2(emit.peakPct), activeMs: emit.activeMs, target: this.targetLabel };
+    if (cap.isError) {
+      ev.captureError = String(cp.error || 'capture failed');
+    } else if (cp.redacted) {
+      ev.redacted = true; ev.note = 'settled change detected but the frame was withheld (denylisted window in region)';
+    } else {
+      const items = materializeImages(cp);        // reads the temp PNG inline as base64 and unlinks it (§8 volatility)
+      const img = items[0];
+      if (img) {
+        const bytes = Buffer.from(img.data, 'base64').length;
+        if (bytes <= EVENT_IMG_MAX_BYTES) { ev._img = img; ev.bytes = bytes; this.bufBytes += bytes; }
+        else ev.imageDropped = `image too large (${bytes} bytes)`;
+      }
+      if (cp.outputSize) ev.outputSize = cp.outputSize;
+      if (cp.approxTokens != null) ev.approxTokens = cp.approxTokens;
+      if (cp.captureRect) ev.captureRect = cp.captureRect;
+    }
+    this.emitted++;
+    this.ring.push(ev);
+    this._evict();
+  }
+
+  // Reflex evaluation: per trigger, fire when the raw change crosses its threshold — with hysteresis
+  // (re-arm only after it goes quiet), per-trigger cooldown, and (for ocr) a one-tick dwell so we read a
+  // settled frame rather than a half-drawn one (codex r1 MED). The reflex bypasses the noise-filter debounce
+  // for speed but keeps these throttles + the global speech budget (codex r1 — no denial-of-attention).
+  async _evalReflexes(changePct, now) {
+    for (const trg of this.triggers) {
+      // A pending ocr dwell fires after dwellMs regardless of the current change (the point is a stable frame).
+      if (trg.pending) {
+        if (now - trg.pendingTs >= trg.dwellMs) { trg.pending = false; trg.armed = false; trg.lastFireTs = now; trg.fires++; await this._fireTrigger(trg); }
+        continue;
+      }
+      if (changePct < trg.threshold * 0.5) trg.armed = true;            // hysteresis: re-arm once it settles below half
+      if (changePct < trg.threshold || !trg.armed) continue;
+      if (now - trg.lastFireTs < trg.cooldownMs) continue;             // per-trigger cooldown
+      if (trg.action === 'ocr') { trg.pending = true; trg.pendingTs = now; continue; }   // dwell one tick, then read
+      trg.armed = false; trg.lastFireTs = now; trg.fires++;
+      await this._fireTrigger(trg);
+    }
+  }
+
+  async _fireTrigger(trg) {
+    if (this.stopped) return;
+    if (trg.action === 'beep') { this._reflexNote(trg, 'beep'); await viaWorker('beep', { pattern: trg.beep }); return; }
+    if (trg.action === 'say') { const r = reflexSpeak('say', trg.say); this._reflexNote(trg, r.ok ? 'say' : `say-skip:${r.reason}`); return; }
+    // 'vision' uses the local VLM if it's available this session; otherwise it degrades to OCR (A always works).
+    let kind = trg.action;   // 'ocr' | 'vision'
+    if (kind === 'vision') { const pv = await probeVlm(); if (this.stopped) return; if (!pv.available) kind = 'ocr'; }   // graceful degrade -> read text
+    // Outcome label: surface the degrade ("vision→ocr") in EVERY branch (redacted/nocapture/empty/said), not just success.
+    const tag = (k) => (trg.action === 'vision' && k === 'ocr') ? 'vision→ocr' : k;
+    // Capture the region through the SAME denylist-gated worker path (never an arbitrary file), then read it.
+    const cap = await viaWorker('capture', { ...this.targetArgs, outDir: this.outDir }, OP_TIMEOUT_MS);
+    if (this.stopped) { materializeImages(cap.payload); return; }
+    const cp = cap.payload || {};
+    if (cp.redacted) { this._reflexNote(trg, `${tag(kind)}-redacted`); return; }   // denylisted window in region -> stay blind
+    if (cap.isError || !cp.path) { this._reflexNote(trg, `${tag(kind)}-nocapture`); return; }
+    let text = null, usedKind = kind;
+    try {
+      if (kind === 'vision') {
+        text = await runVlm(cp.path);
+        // The probe said available but the LIVE call can still fail (model unloaded, timeout) — degrade to OCR (codex low).
+        if (text == null && !this.stopped) { usedKind = 'ocr'; text = await runOcr(cp.path); }
+      } else {
+        text = await runOcr(cp.path);
+      }
+    } finally { try { unlinkSync(cp.path); } catch {} }   // volatile: delete the crop after reading (§8)
+    if (this.stopped) return;
+    if (!text) { this._reflexNote(trg, `${tag(usedKind)}-empty`); return; }
+    const r = reflexSpeak(usedKind === 'vision' ? 'vision' : 'ocr', text);   // screen-derived (untrusted) -> provenance chime (or verbal prefix in spoken mode)
+    this._reflexNote(trg, r.ok ? `${tag(usedKind)}-said` : `${tag(usedKind)}-skip:${r.reason}`);
+  }
+
+  _reflexNote(trg, outcome) { this.reflexFires++; this.lastReflex = { ts: Date.now(), action: trg.action, outcome }; }
+
+  _evict() {
+    const cut = Date.now() - EVENT_TTL_MS;
+    while (this.ring.length && this.ring[0].ts < cut) this._drop(this.ring.shift());
+    while (this.ring.length > EVENT_RING_MAX) this._drop(this.ring.shift());
+    while (this.bufBytes > WATCH_BUF_MAX_BYTES && this.ring.length > 0) this._drop(this.ring.shift());
+  }
+  _drop(ev) { if (ev && ev.bytes) this.bufBytes -= ev.bytes; this.dropped++; }
+
+  drain(max = GET_EVENTS_MAX, maxImages = GET_EVENTS_MAX_IMAGES) {
+    this._evict();
+    // Drain only as far as we can return EVERYTHING we remove: stop BEFORE an image-bearing event that would
+    // exceed the per-call image cap, leaving it (and the rest) buffered for the next call (codex MED — never
+    // remove an event whose frame we then have to discard). Metadata-only events keep draining up to `max`.
+    const images = []; const records = [];
+    const cap = Math.max(1, max);
+    while (this.ring.length && records.length < cap) {
+      const ev = this.ring[0];
+      if (ev._img && images.length >= maxImages) break;   // would overflow images — leave it buffered, truthfully report remaining
+      this.ring.shift();
+      if (ev.bytes) this.bufBytes -= ev.bytes;
+      const rec = { ...ev }; delete rec._img;
+      if (ev._img) { images.push(ev._img); rec.image = 'inline'; }
+      records.push(rec);
+    }
+    return { records, images, remaining: this.ring.length };
+  }
+
+  status() {
+    this._evict();
+    return {
+      watchId: this.watchId, target: this.targetLabel, running: !this.stopped, stopReason: this.stopReason || undefined,
+      pollIntervalMs: this.pollIntervalMs, polls: this.polls, lastChangePct: this.lastChangePct,
+      ageMs: Date.now() - this.startedAt, buffered: this.ring.length, dropped: this.dropped, emitted: this.emitted,
+      redactedFrames: this.redactedFrames || undefined, filterPhase: this.filter.status.phase,
+      thresholds: { activityThreshold: this.cfg.activityThreshold, quietThreshold: this.cfg.quietThreshold, debounceQuietMs: this.cfg.debounceQuietMs, cooldownMs: this.cfg.cooldownMs, maxWaitMs: this.cfg.maxWaitMs },
+      triggers: this.triggers.length || undefined, reflexFires: this.reflexFires || undefined, lastReflex: this.lastReflex || undefined,
+      lastError: this.lastError || undefined,
+    };
+  }
+
+  // Stop the loop. On an INVOLUNTARY stop (auto-stop at max duration / repeated errors), the client may never
+  // call stop_watch, so we must not keep screen frames in RAM indefinitely: drop the captured frames now and
+  // remove the (otherwise empty) temp dir, but keep the lightweight metadata records so a later get_events can
+  // still report what happened (codex HIGH — privacy/TTL must hold without client cooperation, §24.1).
+  _stop(reason) {
+    if (this.stopped) return;
+    this.stopped = true; this.stopReason = reason;
+    if (this._timer) { clearTimeout(this._timer); this._timer = null; }
+    this._clearFrames();
+    try { rmSync(this.outDir, { recursive: true, force: true }); } catch {}
+  }
+
+  _clearFrames() {   // strip pixel data, keep metadata records
+    for (const ev of this.ring) { if (ev._img) { delete ev._img; ev.image = 'cleared (watch stopped)'; } }
+    this.bufBytes = 0;
+  }
+
+  dispose() {
+    this._stop(this.stopReason || 'disposed');
+    this.ring = []; this.bufBytes = 0;            // drop everything, including metadata
+  }
+}
+
+const watches = new Map();
+
+function startWatch(a) {
+  if (plat !== 'win32') return { payload: { error: 'start_watch is currently Windows-only', platform: plat }, isError: true };
+  // Require EXACTLY one fixed target — not "at least one" — so the worker's implicit precedence can't make a
+  // caller watch a different target than they passed (codex LOW). Cursor mode is disallowed (the cursor moves).
+  const targetCount = (a.region ? 1 : 0) + (a.window ? 1 : 0) + (a.monitor != null ? 1 : 0);
+  if (targetCount === 0) {
+    return { payload: { error: 'start_watch needs a fixed target — pass region, window, or monitor. Cursor mode is not allowed (the cursor moves, so every frame would differ).' }, isError: true };
+  }
+  if (targetCount > 1) {
+    return { payload: { error: 'start_watch takes exactly one target — pass only one of region, window, or monitor.' }, isError: true };
+  }
+  const watchId = a.watchId ? String(a.watchId) : 'default';
+  let replaced = false;
+  const existing = watches.get(watchId);
+  if (existing) { existing.dispose(); watches.delete(watchId); replaced = true; }
+  // Prune stopped/empty sessions before enforcing the cap, then reject if still over.
+  if (watches.size >= MAX_WATCHES) {
+    for (const [id, s] of watches) { if (s.stopped && s.ring.length === 0) { s.dispose(); watches.delete(id); } }
+  }
+  if (watches.size >= MAX_WATCHES) {
+    return { payload: { error: `too many concurrent watches (max ${MAX_WATCHES}) — stop one first with stop_watch.` }, isError: true };
+  }
+  const session = new WatchSession(watchId, a);
+  watches.set(watchId, session);
+  const status = session.start();
+  return { payload: { ok: true, action: replaced ? 'restarted' : 'started', ...status, hint: 'Watch runs in the background. Call get_events periodically to collect what changed; stop_watch when done.' }, isError: false };
+}
+
+function stopWatch(a) {
+  const watchId = a.watchId ? String(a.watchId) : null;
+  if (!watchId) {
+    const ids = [...watches.keys()];
+    let total = 0;
+    for (const [, s] of watches) { total += s.emitted; s.dispose(); }
+    watches.clear();
+    return { payload: { ok: true, action: 'stopped-all', stopped: ids, totalEmitted: total }, isError: false };
+  }
+  const s = watches.get(watchId);
+  if (!s) return { payload: { error: `no watch with id "${watchId}"`, active: [...watches.keys()] }, isError: true };
+  const summary = { ok: true, action: 'stopped', watchId, polls: s.polls, emitted: s.emitted, dropped: s.dropped, discardedUnread: s.ring.length, ageMs: Date.now() - s.startedAt };
+  s.dispose(); watches.delete(watchId);
+  return { payload: summary, isError: false };
+}
+
+// get_events returns the buffered events as text records plus their settled frames as MCP image items.
+function getEvents(a) {
+  const watchId = a.watchId ? String(a.watchId) : 'default';
+  const s = watches.get(watchId);
+  if (!s) return { result: { payload: { error: `no watch with id "${watchId}"`, active: [...watches.keys()] }, isError: true }, images: [] };
+  const max = Number.isFinite(Number(a.max)) ? Math.min(GET_EVENTS_MAX, Math.max(1, Math.floor(Number(a.max)))) : GET_EVENTS_MAX;
+  const { records, images, remaining } = s.drain(max);
+  const payload = { watchId, events: records, returned: records.length, remaining, status: s.status() };
+  return { result: { payload, isError: false }, images };
+}
+
+const TOOLS = [
+  {
+    name: 'probe',
+    description: 'Check whether screen perception works in this environment + measure display/capture latency (P0.5).',
+    inputSchema: { type: 'object', properties: {}, additionalProperties: false },
+  },
+  {
+    name: 'read_ui',
+    description: 'Structured perception of the active/targeted window — UIA(Win)/AX(mac) tree: elements, roles, coordinates, text. Zero images, ~0 tokens (P1 primary).',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        window: { type: 'string', description: 'Target by a substring of the window title. If omitted, foreground.' },
+        target: { type: 'string', enum: ['foreground', 'cursor'], description: 'Target to use when no window is given.' },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: 'classify_activity',
+    description: 'Adaptive companion: classify what the user is doing on the foreground window — returns { class: GAME|DEV|MEDIA|BROWSING|PRODUCTIVITY|UNKNOWN, process, title, notificationState, interruptible, canvas, uiaCount, fullscreen, profile, needsChangeRate }. Read-only, zero images. Use it to pick a help profile/cadence; for GAME, sample poll_change to split fast-action (break-gated) vs strategy (periodic). See docs/adaptive-companion.md.',
+    inputSchema: { type: 'object', properties: {}, additionalProperties: false },
+  },
+  {
+    name: 'capture_screen',
+    description: 'Pixel capture — fallback for canvas/games that structured perception cannot read. Target (priority): region > window > monitor > (default) around the cursor. Returns a PNG path (volatility is the caller\'s job, §8).',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        boxW: { type: 'number', description: 'Cursor-mode box width (default 600).' },
+        boxH: { type: 'number', description: 'Cursor-mode box height (default 400).' },
+        region: {
+          type: 'object',
+          description: 'Capture a fixed region (ignores cursor). Virtual-screen physical coordinates.',
+          properties: { x: { type: 'number' }, y: { type: 'number' }, w: { type: 'number' }, h: { type: 'number' } },
+          required: ['x', 'y', 'w', 'h'],
+          additionalProperties: false,
+        },
+        window: { type: 'string', description: 'Window title substring -> capture that window\'s region (ignores cursor). Tracks the window even as it moves.' },
+        monitor: { type: 'string', description: "Target a monitor (ignores cursor): 1-based index ('3') or 'primary'. For continuously watching a game-only monitor." },
+        detail: { type: 'string', description: "Resolution preset: 'gist' (flow only, small) / 'normal' (default) / 'text' (text/code, large). For reading text, prefer region/window + 'text' over a whole monitor." },
+        scale: { type: 'number', description: 'Upscale factor (small regions). When set, overrides detail.' },
+        maxSide: { type: 'number', description: 'Upper bound on the output longest side in px. When set, overrides detail.' },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: 'watch_capture',
+    description: 'Capture a fixed target N times at a set interval (within one pwsh process — avoids per-frame re-spawn cost). With changeOnly, save only frames that changed from the previous one. Synchronous/blocking (waits for the response over frames×interval) — Windows-only PoC. Target priority: region > window > monitor > cursor.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        frames: { type: 'number', description: 'Number of frames to capture (>1).' },
+        intervalMs: { type: 'number', description: 'Interval between frames (ms, default 1000).' },
+        changeOnly: { type: 'boolean', description: 'Save only frames that changed from the previous one (default false).' },
+        changeThreshold: { type: 'number', description: 'Change-detection threshold % (default 2.0).' },
+        region: {
+          type: 'object',
+          description: 'Fixed region (ignores cursor). Virtual-screen physical coordinates.',
+          properties: { x: { type: 'number' }, y: { type: 'number' }, w: { type: 'number' }, h: { type: 'number' } },
+          required: ['x', 'y', 'w', 'h'],
+          additionalProperties: false,
+        },
+        window: { type: 'string', description: 'Window title substring (ignores cursor, tracks movement).' },
+        monitor: { type: 'string', description: "Target a monitor (ignores cursor): index or 'primary'." },
+        boxW: { type: 'number', description: 'Cursor-mode box width.' },
+        boxH: { type: 'number', description: 'Cursor-mode box height.' },
+        detail: { type: 'string', description: "Resolution preset: 'gist'/'normal'/'text'. An explicit scale/maxSide takes precedence." },
+        scale: { type: 'number', description: 'Upscale factor. When set, overrides detail.' },
+        maxSide: { type: 'number', description: 'Upper bound on the output longest side in px. When set, overrides detail.' },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: 'poll_change',
+    description: 'Look at the screen once (async watch primitive) — capture the target once, compare with the previous shot, and immediately return only the change rate. The resident worker remembers the previous state per watchId (continuity). **By default, metadata only (changed, changePct; no image saved = token savings)** — pass includeImage:true to also get the image (path) only when you actually need to see the screen. "Watching alongside" is built by the agent repeatedly calling this tool (polling) every 1-2 seconds — non-blocking, the user can step in at any time. Use reset:true on start / target change. Windows-only.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        region: {
+          type: 'object',
+          description: 'Fixed region (ignores cursor). Virtual-screen physical coordinates.',
+          properties: { x: { type: 'number' }, y: { type: 'number' }, w: { type: 'number' }, h: { type: 'number' } },
+          required: ['x', 'y', 'w', 'h'],
+          additionalProperties: false,
+        },
+        window: { type: 'string', description: 'Window title substring (ignores cursor, tracks movement).' },
+        monitor: { type: 'string', description: "Target a monitor (ignores cursor): index or 'primary'." },
+        boxW: { type: 'number', description: 'Cursor-mode box width.' },
+        boxH: { type: 'number', description: 'Cursor-mode box height.' },
+        scale: { type: 'number', description: 'Upscale factor when includeImage. When set, overrides detail.' },
+        maxSide: { type: 'number', description: 'Upper bound on the output longest side in px when includeImage. When set, overrides detail.' },
+        changeThreshold: { type: 'number', description: 'Change-detection threshold % (default 2).' },
+        watchId: { type: 'string', description: 'Watch-session id (default "default"). The previous state is remembered under this id.' },
+        reset: { type: 'boolean', description: 'If true, discard the previous state and start a new baseline (on watch start / target change).' },
+        detail: { type: 'string', description: "Resolution preset: 'gist'/'normal'/'text' (the saved image size when includeImage)." },
+        includeImage: { type: 'boolean', description: 'Default false = metadata only (changePct etc., token savings). If true, also save and return the changed/baseline frame as a PNG (path).' },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: 'beep',
+    description: 'Sound alert — call this to emit a beep when you have a message to show the user during watching (so they notice while looking at a game / another screen). Recommended to call right before printing the message. Windows-only. (A precursor to future voice TTS.)',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        pattern: { type: 'string', description: "Beep pattern: 'info' (once) / 'warn' (twice) / 'urgent' (three times). Default info." },
+        count: { type: 'number', description: 'Repeat count (overrides pattern when set). 1-10.' },
+        frequency: { type: 'number', description: 'Pitch in Hz (37-32767).' },
+        durationMs: { type: 'number', description: 'Duration of one beep in ms.' },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: 'speak',
+    description:
+      "Speak ONE short line aloud in the user's language through the local TTS — the AGENT tier of the watch design. This is how you act as a companion while they look at a game / another screen: you SEE the screen (capture_screen / get_events), UNDERSTAND it, and say something useful — strategic advice, a warning about a threat/opportunity they might miss, brief commentary, or an answer to their question. These are YOUR OWN judged words (trusted), so they are spoken WITHOUT a provenance mark. Therefore do NOT pipe RAW screen text through here — summarize/judge it into your own sentence first; for unjudged raw screen text use an `ocr` trigger instead (it is marked as screen-derived). Keep it to one concise sentence. Globally rate-limited and never overlaps reflex speech (one set of ears). Windows-only.",
+    inputSchema: {
+      type: 'object',
+      properties: {
+        text: { type: 'string', description: 'The sentence to speak — your own words (a summary/advice/answer), not a raw screen dump. Kept short; long text is capped.' },
+      },
+      required: ['text'],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: 'start_watch',
+    description:
+      'Start watching a fixed target in the BACKGROUND and return immediately (non-blocking). A built-in noise filter (debounce + cooldown) suppresses the per-frame ripple of video/games/scrolling and keeps only meaningful, SETTLED changes — so it works on screens that change every frame, where raw change-detection would flood you. Events accumulate in an in-memory buffer; collect them with get_events, end with stop_watch. Needs a fixed target (region/window/monitor — NOT the cursor). Tune with thresholds if needed. Windows-only. Auto-stops after 30 min.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        region: {
+          type: 'object',
+          description: 'Fixed region to watch (virtual-screen physical coordinates). Recommended for a game minimap/alert area.',
+          properties: { x: { type: 'number' }, y: { type: 'number' }, w: { type: 'number' }, h: { type: 'number' } },
+          required: ['x', 'y', 'w', 'h'],
+          additionalProperties: false,
+        },
+        window: { type: 'string', description: 'Window title substring to watch (tracks the window as it moves).' },
+        monitor: { type: 'string', description: "Monitor to watch: 1-based index ('2') or 'primary' (e.g. a game-only screen)." },
+        watchId: { type: 'string', description: 'Watch-session id (default "default"). Use distinct ids to run several watches at once; starting an existing id restarts it.' },
+        pollIntervalMs: { type: 'number', description: 'How often to sample the target (ms, default 600; clamped 400-5000). Lower = snappier + more CPU.' },
+        detail: { type: 'string', description: "Resolution preset for the captured settled frame: 'gist'/'normal'/'text'." },
+        activityThreshold: { type: 'number', description: 'Frame-to-frame % change that WAKES the filter (default 8). Set above your screen\'s ambient jitter (a playing video measures ~2.5-4%) and below a real transition (a scene cut ~16.8%).' },
+        quietThreshold: { type: 'number', description: 'Frame-to-frame % below which a frame counts as "still" (default 5). Hysteresis: forced below activityThreshold.' },
+        debounceQuietMs: { type: 'number', description: 'How long motion must stay quiet before the settled frame is emitted (ms, default 900 = quality gate).' },
+        cooldownMs: { type: 'number', description: 'Minimum gap between events (ms, default 6000 = frequency cap; suppresses ripples of one activity).' },
+        maxWaitMs: { type: 'number', description: 'If motion never settles, emit anyway this often (ms, default 8000 = anti-starvation for continuous motion).' },
+        triggers: {
+          type: 'array',
+          description: 'Reflex triggers (design §22.3): fire a local alert the INSTANT the watched region changes past a threshold — no cloud LLM round-trip, so it reaches the user in well under a second. Actions: `beep` (sound), `say` (speak a FIXED pre-written phrase — safest), `ocr` (read the region\'s text aloud via offline OCR), or `vision` (describe the scene via a LOCAL vision model if one is configured + fast enough, else auto-degrades to ocr). Spoken screen content is marked as screen-derived (by default a verbal "화면 글자:" / "로컬 비전:" prefix; a non-verbal chime when VORTEX_CU_SPEECH_PROVENANCE=earcon) and shaped; speech is globally rate-limited. Use a `beep`/`say` reflex for "ping me the moment X happens"; for the deeper, JUDGED commentary (advice, warnings, answers) look at the get_events frame and voice your own sentence with the `speak` tool — raw `ocr` readout is just a fallback.',
+          maxItems: 8,
+          items: {
+            type: 'object',
+            properties: {
+              action: { type: 'string', enum: ['beep', 'say', 'ocr', 'vision'], description: "What to do on a crossing." },
+              threshold: { type: 'number', description: 'Frame-to-frame % change that fires this trigger (default 12).' },
+              say: { type: 'string', description: "For action 'say': the fixed phrase to speak (e.g. '적 출현')." },
+              beep: { type: 'string', description: "For action 'beep': 'info'/'warn'/'urgent' (default warn)." },
+              cooldownMs: { type: 'number', description: 'Minimum gap between firings of this trigger (ms, default 8000).' },
+              dwellMs: { type: 'number', description: "For action 'ocr': wait this long after the change before reading, so the frame is settled (ms, default 700)." },
+            },
+            required: ['action'],
+            additionalProperties: false,
+          },
+        },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: 'get_events',
+    description:
+      'Collect the changes a background watch (start_watch) has buffered since the last call — non-blocking, batched (so a long watch costs only a few looks). Returns one record per settled change (time, reason, change magnitude, capture metadata) plus the settled frames as inline images, and a status block (polls, buffered, dropped, filter phase). Drains what it returns; call again for any remainder.',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        watchId: { type: 'string', description: 'Which watch to collect from (default "default").' },
+        max: { type: 'number', description: 'Max events to return this call (default/cap 12). Remaining stay buffered.' },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: 'stop_watch',
+    description: 'Stop a background watch and discard its buffer + in-memory frames. Omit watchId to stop ALL watches. Returns a summary (polls, events emitted, unread discarded).',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        watchId: { type: 'string', description: 'Which watch to stop. Omit to stop every active watch.' },
+      },
+      additionalProperties: false,
+    },
+  },
+];
+
+// The CallTool handler — standalone (no SDK types), wired to the server only on the serve path.
+async function handleCallTool(req) {
+  const { name, arguments: a = {} } = req.params;
+  const useWorker = plat === 'win32';   // the resident worker is Windows PowerShell backend only
+  let result;
+  let reqDir = null;   // per-request temp dir for screenshots — deleted in finally on EVERY exit path (codex blocker: timeout/error left files behind)
+  // Clamp output-size knobs at the MCP boundary so a huge upscale can't blow up the response / PS render (codex #med).
+  if (a.scale != null) { const s = Number(a.scale); a.scale = Number.isFinite(s) ? Math.min(8, Math.max(0.1, s)) : undefined; }
+  if (a.maxSide != null) { const m = Number(a.maxSide); a.maxSide = Number.isFinite(m) ? Math.min(4096, Math.max(16, Math.floor(m))) : undefined; }
+  try {
+  if (name === 'probe') {
+    result = useWorker ? await viaWorker('probe', {}) : runBackend('probe');
+    // If a local VLM is configured, also report its availability (synthetic-image probe — no real screen sent).
+    // This is the only place probe touches the network, and only when the user opted in by setting an endpoint.
+    if (VLM.enabled && result && result.payload && typeof result.payload === 'object') {
+      try { result.payload.vlm = await probeVlm(); } catch (e) { result.payload.vlm = { available: false, reason: String((e && e.message) || e) }; }
+    }
+  } else if (name === 'read_ui') {
+    if (useWorker) {
+      const wa = {};
+      if (a.window) wa.windowMatch = String(a.window);
+      if (a.target) wa.target = String(a.target);
+      result = await viaWorker('read_ui', wa);
+    } else {
+      const args = [];
+      if (a.window) args.push('-WindowMatch', String(a.window));
+      if (a.target) args.push('-Target', String(a.target));
+      result = runBackend('read', args);
+    }
+  } else if (name === 'classify_activity') {
+    if (plat !== 'win32') {
+      result = { payload: { error: 'classify_activity is currently Windows-only', platform: plat }, isError: true };
+    } else {
+      const raw = runBackend('classify', [], 8000);   // fast one-shot; 8s hard timeout so a hung UIA call can't freeze the loop
+      if (raw.isError) {
+        result = raw;
+      } else {
+        try {
+          const opts = { profiles: COMPANION_PROFILES };
+          if (process.env.VORTEX_CU_UIA_CANVAS_MAX) opts.uiaCanvasMax = Number(process.env.VORTEX_CU_UIA_CANVAS_MAX);
+          const d = classifyActivity(raw.payload, opts);
+          const p = raw.payload || {};
+          result = { payload: { ...d, redacted: !!p.redacted, reason: p.reason, procId: p.procId, hwnd: p.hwnd, uiaCapped: p.uiaCapped, uiaOk: p.uiaOk, notificationStateCode: p.notificationState } };
+        } catch (e) {
+          result = { payload: { error: 'classify failed', detail: String((e && e.message) || e), raw: raw.payload }, isError: true };
+        }
+      }
+    }
+  } else if (name === 'capture_screen') {
+    reqDir = mkdtempSync(join(tmpdir(), 'vortex-cu-'));
+    if (useWorker) {
+      const wa = { outDir: reqDir };
+      if (a.region) wa.region = `${a.region.x},${a.region.y},${a.region.w},${a.region.h}`;
+      if (a.window) wa.windowMatch = String(a.window);
+      if (a.monitor != null) wa.monitor = String(a.monitor);
+      if (a.boxW) wa.boxW = a.boxW;
+      if (a.boxH) wa.boxH = a.boxH;
+      if (a.detail) wa.detail = String(a.detail);
+      if (a.scale != null) wa.scale = a.scale;
+      if (a.maxSide != null) wa.maxSide = a.maxSide;
+      result = await viaWorker('capture', wa);
+    } else {
+      const args = ['-OutDir', reqDir];
+      if (a.boxW) args.push('-BoxW', String(a.boxW));
+      if (a.boxH) args.push('-BoxH', String(a.boxH));
+      result = runBackend('capture', args);
+    }
+  } else if (name === 'watch_capture') {
+    // watch isn't run on the resident worker (avoids blocking other calls with a long occupation, codex #1) -> always per-call spawn.
+    if (plat !== 'win32') {
+      result = { payload: { error: 'watch_capture is currently Windows-only', platform: plat }, isError: true };
+    } else {
+      // Hard caps so one watch call can't run unbounded; async runner so it never blocks the server (codex #high).
+      reqDir = mkdtempSync(join(tmpdir(), 'vortex-cu-'));
+      const MAX_FRAMES = 60, MIN_INTERVAL = 100, MAX_INTERVAL = 10000, MAX_WATCH_MS = 180000;
+      const reqFrames = Number(a.frames), reqInterval = Number(a.intervalMs);
+      const frames = Math.min(MAX_FRAMES, Math.max(1, Number.isFinite(reqFrames) && reqFrames > 0 ? Math.floor(reqFrames) : 2));
+      const intervalMs = Math.min(MAX_INTERVAL, Math.max(MIN_INTERVAL, Number.isFinite(reqInterval) && reqInterval > 0 ? Math.floor(reqInterval) : 1000));
+      const args = ['-WatchFrames', String(frames), '-IntervalMs', String(intervalMs), '-OutDir', reqDir];
+      if (a.changeOnly) args.push('-ChangeOnly');
+      if (a.changeThreshold != null) args.push('-ChangeThreshold', String(a.changeThreshold));
+      if (a.region) args.push('-Region', `${a.region.x},${a.region.y},${a.region.w},${a.region.h}`);
+      if (a.window) args.push('-WindowMatch', String(a.window));
+      if (a.monitor != null) args.push('-Monitor', String(a.monitor));
+      if (a.boxW) args.push('-BoxW', String(a.boxW));
+      if (a.boxH) args.push('-BoxH', String(a.boxH));
+      if (a.detail) args.push('-Detail', String(a.detail));
+      if (a.scale != null) args.push('-Scale', String(a.scale));
+      if (a.maxSide != null) args.push('-MaxSide', String(a.maxSide));
+      const timeoutMs = Math.min(MAX_WATCH_MS, frames * intervalMs + 15000);
+      result = await runBackendAsync('capture', args, timeoutMs, reqDir);
+      if (result.cleanupOwned) reqDir = null;   // runBackendAsync deferred cleanup (timeout/cap fallback) — don't race it in finally
+    }
+  } else if (name === 'poll_change') {
+    // async watch primitive — a fast single shot, so it goes through the worker (which also holds the previous state). win32 only.
+    if (plat !== 'win32') {
+      result = { payload: { error: 'poll_change is currently Windows-only', platform: plat }, isError: true };
+    } else {
+      const wa = {};
+      if (a.includeImage) { reqDir = mkdtempSync(join(tmpdir(), 'vortex-cu-')); wa.outDir = reqDir; wa.includeImage = true; }
+      if (a.region) wa.region = `${a.region.x},${a.region.y},${a.region.w},${a.region.h}`;
+      if (a.window) wa.windowMatch = String(a.window);
+      if (a.monitor != null) wa.monitor = String(a.monitor);
+      if (a.boxW) wa.boxW = a.boxW;
+      if (a.boxH) wa.boxH = a.boxH;
+      if (a.scale != null) wa.scale = a.scale;
+      if (a.maxSide != null) wa.maxSide = a.maxSide;
+      if (a.detail) wa.detail = String(a.detail);
+      if (a.changeThreshold != null) wa.changeThreshold = a.changeThreshold;
+      const wid = a.watchId ? String(a.watchId) : 'default';
+      if (a.watchId) wa.watchId = wid;
+      if (a.reset) wa.reset = true;
+      const seenBefore = pollSeen.has(wid);
+      result = await viaWorker('poll_change', wa);
+      // Record the watchId only after a SUCCESSFUL poll (payload carries a boolean baseline) — a failed first call must
+      // not make the next valid baseline look like a reset; bound the set so attacker-chosen watchIds can't grow it forever. codex #low.
+      if (result && result.payload && typeof result.payload.baseline === 'boolean') {
+        if (pollSeen.size > 1000) pollSeen.clear();
+        pollSeen.add(wid);
+      }
+      // A non-reset follow-up that comes back baseline=true means the worker lost its state (restart/idle-dispose/crash).
+      // Surface it as a reset so the agent treats it as a fresh baseline — NOT as "no change" (a real change in the gap would otherwise be silently missed). codex #high.
+      if (!a.reset && seenBefore && result && result.payload && result.payload.baseline === true) {
+        result.payload.stateReset = true;
+        result.payload.warning = 'watch state was lost (worker restarted/idle-disposed) — this is a fresh baseline, not a "no change" result; a change during the gap may have been missed.';
+      }
+    }
+  } else if (name === 'beep') {
+    if (plat !== 'win32') {
+      result = { payload: { error: 'beep is currently Windows-only', platform: plat }, isError: true };
+    } else {
+      const wa = {};
+      if (a.pattern) wa.pattern = String(a.pattern);
+      if (a.count != null) wa.count = a.count;
+      if (a.frequency != null) wa.frequency = a.frequency;
+      if (a.durationMs != null) wa.durationMs = a.durationMs;
+      result = await viaWorker('beep', wa);
+    }
+  } else if (name === 'speak') {
+    // Agent-authored speech: trusted content -> no provenance mark (treated like a 'say' fixed phrase), but
+    // still shaped + globally budgeted + no-overlap with reflex speech (one set of ears). Non-blocking.
+    if (plat !== 'win32') {
+      result = { payload: { error: 'speak is currently Windows-only', platform: plat }, isError: true };
+    } else if (typeof a.text !== 'string' || !a.text.trim()) {
+      result = { payload: { ok: false, error: 'empty text' }, isError: true };
+    } else {
+      const r = reflexSpeak('agent', a.text);   // agent's judged words: no provenance mark, but redacted + shaped + budgeted
+      result = { payload: r.ok ? { ok: true, uttered: r.uttered } : { ok: false, skipped: r.reason } };
+    }
+  } else if (name === 'start_watch') {
+    result = startWatch(a);
+  } else if (name === 'stop_watch') {
+    result = stopWatch(a);
+  } else if (name === 'get_events') {
+    // get_events carries its OWN already-materialized image items (from the watch buffer) — return them directly
+    // and skip the generic materializeImages pass (there are no on-disk paths in the payload to re-read).
+    if (plat !== 'win32') {
+      result = { payload: { error: 'get_events is currently Windows-only', platform: plat }, isError: true };
+    } else {
+      const { result: r, images } = getEvents(a);
+      auditLog('get_events', r.payload, images);
+      return { content: [{ type: 'text', text: JSON.stringify(r.payload, null, 2) }, ...images], isError: r.isError };
+    }
+  } else {
+    return { content: [{ type: 'text', text: `unknown tool: ${name}` }], isError: true };
+  }
+  const imageItems = materializeImages(result.payload);
+  auditLog(name, result.payload, imageItems);   // metadata/HMAC only — original image and text are not stored (§8)
+  return { content: [{ type: 'text', text: JSON.stringify(result.payload, null, 2) }, ...imageItems], isError: result.isError };
+  } finally {
+    if (reqDir) { try { rmSync(reqDir, { recursive: true, force: true }); } catch {} }
+  }
+}
+
+// Clean up the worker + any background watches on server shutdown (stops the loops, frees in-RAM frames,
+// removes the watch temp dirs). The worker also auto-terminates via stdin EOF when the parent dies.
+process.on('exit', () => { try { if (speakingChild) speakingChild.kill(); } catch {} for (const s of watches.values()) { try { s.dispose(); } catch {} } workerMgr.dispose(); });
+process.on('SIGINT', () => process.exit(0));
+process.on('SIGTERM', () => process.exit(0));
+
+// ── install mode: self-register into the project .mcp.json (stage 1) ─────────
+// `vortex-mcp-computer-use install [--path <file>]` — merge-safe registration. ALWAYS uses the
+// non-reserved key "vortex-computer-use" (the host reserves "computer-use" and silently won't load
+// it), preserves every other server + top-level field, and refuses to overwrite a malformed file.
+const SERVER_KEY = 'vortex-computer-use';
+const SERVER_ENTRY = { command: 'node', args: ['node_modules/@vortex-os/computer-use/scripts/mcp-stdio.mjs'] };
+
+const isObjLit = (v) => v !== null && typeof v === 'object' && !Array.isArray(v);
+const refuse = (msg) => { process.stderr.write(`[install] ${msg}\n`); process.exit(1); };
+
+function runInstall(argv) {
+  const i = argv.indexOf('--path');
+  let target;
+  if (i >= 0) {
+    const v = argv[i + 1];
+    if (!v || v.startsWith('--')) refuse('--path requires a file path argument.');
+    target = v;
+  } else {
+    target = join(process.cwd(), '.mcp.json');
+  }
+  let existing = {};
+  if (existsSync(target)) {
+    let txt;
+    try { txt = readFileSync(target, 'utf8').trim(); }
+    catch (e) { refuse(`${target} could not be read — left untouched: ${e.message}`); }
+    if (txt) {
+      let parsed;
+      try { parsed = JSON.parse(txt); }
+      catch (e) { refuse(`${target} is not valid JSON — refusing to overwrite (fix it first): ${e.message}`); }
+      if (!isObjLit(parsed)) refuse(`${target} is not a JSON object — refusing to overwrite.`);
+      if (parsed.mcpServers !== undefined && !isObjLit(parsed.mcpServers)) refuse(`${target} has a non-object "mcpServers" — refusing to overwrite.`);
+      existing = parsed;
+    }
+  }
+  const servers = isObjLit(existing.mcpServers) ? existing.mcpServers : {};
+  // ADD-ONLY: never clobber an existing "vortex-computer-use" entry (the user may have customized it).
+  if (Object.prototype.hasOwnProperty.call(servers, SERVER_KEY)) {
+    process.stdout.write(JSON.stringify({ ok: true, action: 'already-present', path: target, serverKey: SERVER_KEY }, null, 2) + '\n');
+    process.stderr.write(`[install] "${SERVER_KEY}" already registered in ${target} — left unchanged.\n`);
+    return;
+  }
+  const preserved = Object.keys(servers);
+  const merged = { ...existing, mcpServers: { ...servers, [SERVER_KEY]: SERVER_ENTRY } };
+  // Atomic write via a PRIVATE temp dir (random name, not a guessable sibling): write inside with
+  // exclusive-create, rename onto the target, then remove the dir. Avoids following a pre-placed
+  // temp symlink and leaves no stray temp on failure (codex r2 MEDIUM).
+  try { mkdirSync(dirname(target), { recursive: true }); } catch {}
+  const tmpDir = mkdtempSync(join(dirname(target), '.mcp-cu-'));
+  const tmp = join(tmpDir, 'mcp.json');
+  try {
+    writeFileSync(tmp, JSON.stringify(merged, null, 2) + '\n', { encoding: 'utf8', flag: 'wx' });
+    renameSync(tmp, target);
+  } finally {
+    try { rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+  }
+  process.stdout.write(JSON.stringify({ ok: true, action: 'added', path: target, serverKey: SERVER_KEY, preservedServers: preserved }, null, 2) + '\n');
+  process.stderr.write(
+    `[install] added "${SERVER_KEY}" in ${target}` +
+      (preserved.length ? ` (kept: ${preserved.join(', ')})` : '') + '\n' +
+      `[install] Restart the agent — or approve the new MCP server when prompted — to load the computer-use tools.\n`,
+  );
+}
+
+if (process.argv.slice(2).includes('install')) {
+  runInstall(process.argv.slice(2));
+} else {
+  // Serve path: load the MCP SDK dynamically (so `install` never requires it), wire the handlers, connect.
+  const { Server } = await import('@modelcontextprotocol/sdk/server/index.js');
+  const { StdioServerTransport } = await import('@modelcontextprotocol/sdk/server/stdio.js');
+  const { ListToolsRequestSchema, CallToolRequestSchema } = await import('@modelcontextprotocol/sdk/types.js');
+  const server = new Server({ name: 'computer-use', version: PKG_VERSION }, { capabilities: { tools: {} } });
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: TOOLS }));
+  server.setRequestHandler(CallToolRequestSchema, handleCallTool);
+  await server.connect(new StdioServerTransport());
+  process.stderr.write(`[computer-use MCP] ready on stdio (worker=${plat === 'win32' ? 'on' : 'off'}; tools: probe, read_ui, classify_activity, capture_screen, watch_capture, poll_change, start_watch, get_events, stop_watch, beep, speak)\n`);
+}